[keycloak-dev] client query caches getting complicated
Bill Burke
bburke at redhat.com
Thu Feb 18 08:53:34 EST 2016
On 2/18/2016 2:07 AM, Stian Thorgersen wrote:
> Having two many joins (fetching everything about a realm in one query)
> is probably going to be bad for performance, especially if there are
> loads of clients and roles. There can also be large difference between
> different vendors.
>
> Another thing in the future we should separate clients out into a
> separate store. There could be thousands of clients or even more. So
> they should be treated in a similar fashion to users. Does that have
> impact on how we improve/refactor/fix caching now?
>
As I said before, OIDC logout queries *ALL* clients to obtain a list of
valid redirects to compare against the redirect-uri passed to the logout
endpoint. That's about the only very frequent, non-adminstrative
function that requires obtaining a list of all clients. We also really
need a way to figure out of a realm invalidation is the result of the
realm being removed or just updated. Otherwise, you'll be evicting
thousands of clients and other realm related items every time a realm is
updated. Actually, maybe we're better off not evicting clients on a
realm removal, and just registering invalidations for every client in
the realm instead.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list