[keycloak-dev] Offline tokens - step 1
Marek Posolda
mposolda at redhat.com
Wed Sep 23 09:44:46 EDT 2015
On 23/09/15 15:01, Bill Burke wrote:
>> This is not very performant for the
>> UserFederationProviders with "constant" data. For example if you have
>> LDAP when data wasn't changed at all during last year, you don't need to
>> always call LDAPFederationProvider.validate and constantly ask LDAP if
>> user still exists there. So instead you will put cache provider on top
>> and UserFederationManager under it.
>>
>
> That's not how it works. Cache is always queried first, isn't it?
Nope. Now session.users() always returns UserFederationManager and this
one delegates to cache. So when you have LDAP user john, the invocation
of session.users().getUserByUsername("john") invokes
federationProvider.validate and queries LDAP . Not really ideal when
people have "constant" data in their LDAP or their own federation
providers based on legacy database with constant data.
I've added per-request cache to UserFederationManager, so you don't have
15 federationProvider invocations per request, but just 2 or 3. However
the possibility to chain cache on top will be even better option for
some environments.
Marek
More information about the keycloak-dev
mailing list