[keycloak-dev] Moving ClientInitialAccessModel from infinispan to db
Stian Thorgersen
sthorger at redhat.com
Mon Jun 26 02:30:12 EDT 2017
Sounds good
+1 To not import/export and no caching. We can re-consider import/export if
anyone asks about it.
On 21 June 2017 at 22:32, Marek Posolda <mposolda at redhat.com> wrote:
> I've sent PR https://github.com/keycloak/keycloak/pull/4248 for move
> ClientInitialAccessModel from userSessionProvider (infinispan) to realm
> model (db). This has advantages like:
>
> - Client initial access tokens will remain persistent among server restarts
> - There won't be issues in cross-dc environment
>
> Regarding functionality, nothing is changed. Admin console and admin
> REST endpoints are still the same behaviour. There is still decrease of
> remainingCount during each client registration like was before. Only
> change is, that server restarts will just work :)
>
> I didn't add support for export/import of client initial access token
> models. Was thinking about possible issues like:
> - admin creates the initial token with 3 counters
> - Export is done
> - Then token is used to register 3 clients, which defacto make the token
> expired
> - After realm re-import, the token will be back again with 3 attempts,
> which is likely not what admin wants.
>
> Also I didn't add support for caching. Reason is, that there is just
> small amount of tokens. Also there is almost same amount of writes and
> reads to ClientInitialAccessModel as every client registration needs to
> decrease counter and update DB. With caching enabled, there will be lots
> of additional overhead needed to send invalidation message to all
> cluster nodes in all DCs during every write, which likely won't help
> with performance, but rather the opposite.
> WDYT?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list