[keycloak-dev] client query caches getting complicated

Bill Burke bburke at redhat.com
Thu Feb 18 09:03:36 EST 2016 


On 2/18/2016 8:56 AM, Stian Thorgersen wrote:
>
>
> On 18 Feb 2016 13:53, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
> >
> >
> >
> > On 2/18/2016 2:07 AM, Stian Thorgersen wrote:
> >>
> >> Having two many joins (fetching everything about a realm in one 
> query) is probably going to be bad for performance, especially if 
> there are loads of clients and roles. There can also be large 
> difference between different vendors.
> >>
> >> Another thing in the future we should separate clients out into a 
> separate store. There could be thousands of clients or even more. So 
> they should be treated in a similar fashion to users. Does that have 
> impact on how we improve/refactor/fix caching now?
> >>
> >
> > As I said before, OIDC logout queries *ALL* clients to obtain a list 
> of valid redirects to compare against the redirect-uri passed to the 
> logout endpoint.  That's about the only very frequent, 
> non-adminstrative function that requires obtaining a list of all 
> clients.  We also really need a way to figure out of a realm 
> invalidation is the result of the realm being removed or just 
> updated.  Otherwise, you'll be evicting thousands of clients and other 
> realm related items every time a realm is updated.  Actually, maybe 
> we're better off not evicting clients on a realm removal, and just 
> registering invalidations for every client in the realm instead.
>
> Why does OIDC logout need to list all clients? It used to just get the 
> clients that had client sessions for the specific user session.
>
> >
>
OIDC logout endpoint has a redirect_uri parameter which tells keycloak 
where to redirect *after* logout happens.  This redirect_uri needs to be 
checked.   we may or may not know who initiated the logout request based 
on the "id_token_hint" parameter, nor is it guaranteed that the 
redirect-uri is in the list of clients that are part of the session.

This is one of the reasons why I wanted to create a generic query 
cache.  I could cache this list of redirect uri patterns and not load 
every client.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160218/960b5dd6/attachment.html

More information about the keycloak-dev mailing list