12:53 p.m.
Hello,
I am looking for help regarding having Keycloak accommodate roughly a
million, long-lived sessions.
My setup: I have an externalized infinispan cluster which houses the
clientSessions and sessions caches, and using Keycloak 4.8.0.
The infinispan cluster can hold that many entries in each cache, however it
seems Keycloak itself struggles with this.
When I restart Keycloak (for whatever reason), it seems to attempt to load
all sessions from infinispan into memory, which to me seems counter
intuitive to using an externalized cache system.
Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
seems like I would have to clear all session data in order for the
application to start up again.
Also, session lifetime is expected to be 8 months to a year.
My standalone-ha.xml for cache configuration looks like this:
<replicated-cache name="sessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket"
passivation="false" cache=
"sessions" shared="true" purge="false"
preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
<replicated-cache name="clientSessions"
statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket"
cache="clientSessions"
passivation="false" shared="true" purge="false"
preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
Is this correct? Is there a more efficient way to handle this?
Thanks in advance,
DKD
1:37 p.m.
Hi,
I am surprised to see you having to consider that many session with a
session lifetime spann of about 8 months.
All the sessions are piling up, and at the end as you mention you can
end up with about 1 million sessions with scability issues.
I am wondering if you don't have a design issue.
A normal session is 10H, and session idletimeout is about 30mn.
Keycloak provide offline tokens that can last by 30 days, but could be
extended to much more (8 months - a year)
offline tokens handling will allow your application to generate new
access tokens (very short timelifespann), whithout having the need to
reauthenticate.
I guess it shoulds fulfill your needs.
see also:
http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/
http://www.janua.fr/understanding-token-usage-in-keycloak/
Regards,
Olivier Rivat
Le 03/05/2019 à 19:53, Dev Doongoor a écrit :
Hello,
I am looking for help regarding having Keycloak accommodate roughly a
million, long-lived sessions.
My setup: I have an externalized infinispan cluster which houses the
clientSessions and sessions caches, and using Keycloak 4.8.0.
The infinispan cluster can hold that many entries in each cache, however it
seems Keycloak itself struggles with this.
When I restart Keycloak (for whatever reason), it seems to attempt to load
all sessions from infinispan into memory, which to me seems counter
intuitive to using an externalized cache system.
Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
seems like I would have to clear all session data in order for the
application to start up again.
Also, session lifetime is expected to be 8 months to a year.
My standalone-ha.xml for cache configuration looks like this:
<replicated-cache name="sessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket"
passivation="false" cache=
"sessions" shared="true" purge="false"
preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
<replicated-cache name="clientSessions"
statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket"
cache="clientSessions"
passivation="false" shared="true" purge="false"
preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
Is this correct? Is there a more efficient way to handle this?
Thanks in advance,
DKD
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
1:41 p.m.
Thanks for your reply and the links. Offline tokens don't really apply in
this use case, since there aren't any offline operations that are happening
when the user isn't active, and we'd need the
I'd imagine if the tokens are somewhat permanent in nature, with such a
long lived timeout, that infinispan + backing store can still be used just
as L1/L2 caches.
Loading them all into main memory, makes the remote store somewhat useless
- unless the purpose of the remote stores are for coordination and cluster
synchronization, and not for performance reasons.
However, I strongly suspect we are not configuring things correctly. For
example, we did not set the `Revoke Refresh Token` flag to true, so a new
refresh token was always issued and kept around. That may probably help.
For reference, here are other timeout settings that I have configured:
SSO Session Idle = 30 days;
SSO Session Max = 1825 Days;
No "remember me" values set.
Offline session idle = 30 days
Access token lifespan = 20 minutes;
Access token lifespan for implicit flow = 15 minutes
Thanks again,
DKD
On Mon, May 6, 2019 at 3:02 PM Olivier Rivat <orivat(a)janua.fr> wrote:
Hi,
I am surprised to see you having to consider that many session with a
session lifetime spann of about 8 months.
All the sessions are piling up, and at the end as you mention you can
end up with about 1 million sessions with scability issues.
I am wondering if you don't have a design issue.
A normal session is 10H, and session idletimeout is about 30mn.
Keycloak provide offline tokens that can last by 30 days, but could be
extended to much more (8 months - a year)
offline tokens handling will allow your application to generate new
access tokens (very short timelifespann), whithout having the need to
reauthenticate.
I guess it shoulds fulfill your needs.
see also:
http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/
http://www.janua.fr/understanding-token-usage-in-keycloak/
Regards,
Olivier Rivat
Le 03/05/2019 à 19:53, Dev Doongoor a écrit :
> Hello,
>
> I am looking for help regarding having Keycloak accommodate roughly a
> million, long-lived sessions.
> My setup: I have an externalized infinispan cluster which houses the
> clientSessions and sessions caches, and using Keycloak 4.8.0.
> The infinispan cluster can hold that many entries in each cache, however
it
> seems Keycloak itself struggles with this.
> When I restart Keycloak (for whatever reason), it seems to attempt to
load
> all sessions from infinispan into memory, which to me seems counter
> intuitive to using an externalized cache system.
> Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
> seems like I would have to clear all session data in order for the
> application to start up again.
> Also, session lifetime is expected to be 8 months to a year.
>
> My standalone-ha.xml for cache configuration looks like this:
> <replicated-cache name="sessions"
statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket"
passivation="false"
cache=
> "sessions" shared="true" purge="false"
preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
>
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> <replicated-cache name="clientSessions"
statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket"
cache="clientSessions"
> passivation="false" shared="true" purge="false"
preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
>
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> Is this correct? Is there a more efficient way to handle this?
>
> Thanks in advance,
>
> DKD
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<http://www.janua.fr/images/logo-big-sans.png><
http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2079
days inactive
2083
days old
2 comments
3 participants
participants (3)
-
Dev Doongoor -
DKD
-
Olivier Rivat