[keycloak-dev] sticky sessions for UserSession

Stian Thorgersen stian at redhat.com
Tue Sep 23 09:16:37 EDT 2014


Another issue with sticky sessions is that it would be difficult to implement queries (retrieve all user sessions and client sessions), remove expired sessions, etc..

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 23 September, 2014 12:29:21 PM
> Subject: Re: [keycloak-dev] sticky sessions for UserSession
> 
> I don't like the idea of introducing a sticky session, also I'd prefer if we
> could at least provide the illusion of Keycloak being stateless.
> 
> Some issues with sticky sessions:
> 
> 1) Load balancer needs session cookie to make requests from browser sticky
> 2) Also need to make requests from clients "sticky", either by a cookie or by
> having clients go to a specific url (latter means exposing internal nodes as
> well as load balancer)
> 3) Doesn't increase availability - in that case we still need some
> replication
> 
> An alternative solution is to have the user session provider deal with this.
> I propose we use Infinispan to provide a clustered and sharded in-memory
> store for user sessions. This means that Keycloak itself doesn't store
> user-sessions in-memory, but instead delegates this to Infinspan. It also
> means that if someone really wants to persist user sessions they still can
> (using clustered relational db, or a sharded mongodb).
> 
> With that in mind the stages involved in developing clustering support would
> be:
> 
> 1) Use JPA (or Mongo) stores for everything with no caches
> 2) Use Docker to easily create a cluster (multiple Keycloak instances and
> Apache load balancer) for testing
> 3) Create a cluster testsuite
> 4) Enable realm cache - using jgroups to send cache invalidation messages
> (messages are signed with realm key and contain no sensitive data, only id
> that is invalidated, so doesn't need to be encrypted)
> 5) Enable user cache - same as 4, but for users
> 6) Infinispan User Session provider
>    6.1) No replication or sharding
>    6.2) Replicated for availability
>    6.3) Sharded for scalability
> 
> This would support any load balancer (where the load balancer is the only
> externally visible url) and a cluster of Keycloak servers. Any Keycloak
> server can process any request. In non-clustered config we can use a single
> in-memory Infinispan cache to retrieve user sessions from (so there's no
> need to maintain a separate in-mem user session store). For increasing
> availability we can have multiple Infinispan nodes that replicates all user
> sessions. Finally, for increased scalability Infinispan would shard on
> user-session-id.
> 
> ----- Original Message -----
> > From: "Marek Posolda" <mposolda at redhat.com>
> > To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
> > Sent: Tuesday, 23 September, 2014 9:09:21 AM
> > Subject: Re: [keycloak-dev] sticky sessions for UserSession
> > 
> > I think that generally there are 2 main purposes of clustering:
> > a) scalability and better performance (ideally n-times better
> > performance with n nodes in cluster)
> > b) failover
> > 
> > With in-memory session you will achieve (a), but (b) won't be addressed.
> > So if you have 2 keycloak nodes and you kill node-1, then all
> > UserSessions on node-1 will be lost and users would need to relogin. IMO
> > Sticky sessions are good, but there is still need to replicate sessions
> > (at least to 1 additional cluster node) if you want to address failover.
> > Or am I just not understand correctly what you meant?
> > 
> > Marek
> > 
> > On 22.9.2014 22:14, Bill Burke wrote:
> > > Was thinking about clustering.  Sticky sessions combined with in-memory
> > > only UserSessions might be best for clustering.  We'll need to change
> > > access code processing so that it is a) signed and b) contains the
> > > callback URL.  In looking at SAML, it jsut seems we need to have the
> > > notion of an HttpSession and the idea of loading this session from a
> > > database (or even a clustered cache) doesn't seem very feasible or
> > > scalable.
> > 
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list