[keycloak-dev] client query caches getting complicated

Bill Burke bburke at redhat.com
Thu Feb 18 14:44:07 EST 2016 

I was thinking about this a bit more.  On a DB removal, you actually 
don't care if "child" elements don't get evicted from the cache. For 
example, if a realm gets removed, you don't care if clients get removed 
from cache or not because they will never be looked up again.  
Eventually eviction policies will trigger and the old irrelevant cache 
items will be gone.

On 2/18/2016 9:03 AM, Bill Burke wrote:
>
>
> On 2/18/2016 8:56 AM, Stian Thorgersen wrote:
>>
>>
>> On 18 Feb 2016 13:53, "Bill Burke" <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>> >
>> >
>> >
>> > On 2/18/2016 2:07 AM, Stian Thorgersen wrote:
>> >>
>> >> Having two many joins (fetching everything about a realm in one 
>> query) is probably going to be bad for performance, especially if 
>> there are loads of clients and roles. There can also be large 
>> difference between different vendors.
>> >>
>> >> Another thing in the future we should separate clients out into a 
>> separate store. There could be thousands of clients or even more. So 
>> they should be treated in a similar fashion to users. Does that have 
>> impact on how we improve/refactor/fix caching now?
>> >>
>> >
>> > As I said before, OIDC logout queries *ALL* clients to obtain a 
>> list of valid redirects to compare against the redirect-uri passed to 
>> the logout endpoint.  That's about the only very frequent, 
>> non-adminstrative function that requires obtaining a list of all 
>> clients.  We also really need a way to figure out of a realm 
>> invalidation is the result of the realm being removed or just 
>> updated.  Otherwise, you'll be evicting thousands of clients and 
>> other realm related items every time a realm is updated.  Actually, 
>> maybe we're better off not evicting clients on a realm removal, and 
>> just registering invalidations for every client in the realm instead.
>>
>> Why does OIDC logout need to list all clients? It used to just get 
>> the clients that had client sessions for the specific user session.
>>
>> >
>>
> OIDC logout endpoint has a redirect_uri parameter which tells keycloak 
> where to redirect *after* logout happens.  This redirect_uri needs to 
> be checked.   we may or may not know who initiated the logout request 
> based on the "id_token_hint" parameter, nor is it guaranteed that the 
> redirect-uri is in the list of clients that are part of the session.
>
> This is one of the reasons why I wanted to create a generic query 
> cache.  I could cache this list of redirect uri patterns and not load 
> every client.
>
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160218/96c2a097/attachment.html

More information about the keycloak-dev mailing list