I've sent PR
https://github.com/keycloak/keycloak/pull/4248 for move
ClientInitialAccessModel from userSessionProvider (infinispan) to realm
model (db). This has advantages like:
- Client initial access tokens will remain persistent among server restarts
- There won't be issues in cross-dc environment
Regarding functionality, nothing is changed. Admin console and admin
REST endpoints are still the same behaviour. There is still decrease of
remainingCount during each client registration like was before. Only
change is, that server restarts will just work :)
I didn't add support for export/import of client initial access token
models. Was thinking about possible issues like:
- admin creates the initial token with 3 counters
- Export is done
- Then token is used to register 3 clients, which defacto make the token
expired
- After realm re-import, the token will be back again with 3 attempts,
which is likely not what admin wants.
Also I didn't add support for caching. Reason is, that there is just
small amount of tokens. Also there is almost same amount of writes and
reads to ClientInitialAccessModel as every client registration needs to
decrease counter and update DB. With caching enabled, there will be lots
of additional overhead needed to send invalidation message to all
cluster nodes in all DCs during every write, which likely won't help
with performance, but rather the opposite.
WDYT?
Marek