[keycloak-dev] Authentication sessions prototype

Marek Posolda mposolda at redhat.com
Mon Mar 27 07:02:44 EDT 2017

We started on the work for cross-dc support. One of the initial steps 
for this is to improve current "sessions" cache to avoid unnecessary 
communication between data-centers.

Currently ClientSessionModel is created at the start of the 
authentication and every step in the authentication flow means some 
writes to the ClientSessionModel. So the idea is, to create separate 
provider and separate "Authentication session", which will be used just 
during the authentication time. The advantage is, that authentication 
usually doesn't take lots of times and can be tracked with browser 
sticky session. So typical deployment will be able to rely on sticky 
sessions and won't need the authentication sessions to be replicated 
across different data centers.

I have some prototype already working in the branch [1]

What I did so far is:
- Created separate provider AuthenticationSessionProvider and separate 

- During start of authentication (at the time of request from OIDC or 
SAML application is sent to Keycloak), the AuthenticationSession is 
created instead of old ClientSession. For now, there is cookie with the 
authentication-session-id created. This one is used for track sticky 

- AuthenticationSession is used for the time of authentication, 
requiredActions and consents. The UserSession is now created after the 
consent is confirmed (before redirecting to OIDC/SAML application). Some 
minor changes were needed in the authentication SPI, requiredActions 
SPI, forms SPI to use AuthenticationSession instead of ClientSession and 
to not use UserSession.

- For now, UserSession still tracks the list of clientSessions of the 
authenticated clients. But those authenticated client-sessions are now 
saved just as an attachment of userSession entity, so there is just 
single infinispan entity for userSession and not additional entities for 

This is just another step. Hopefully we will be able to get rid of 
"clientSession" at all and keep just list of the client IDs in the user 
session. This would require some additional refactoring as we currently 
have some data in clientSession, which are used during refresh and 
during logout. But this will be done later though (eg. ensure that roles 
and protocolMappers will be available in refreshToken. Maybe support for 
OIDC logout on adapters side similar to what we have for SAML  as 
currently we track the HttpSession ID as the note in clientSession and 
this one is needed to logout HttpSession on the adapter side etc)

- There are some improvements done around back / forward / refresh 
button. We discussed this in another thread. For now, the aim is to 
never display the Keycloak page with "We're sorry. An error occurred and 
please login through your application" but rather display the more 
friendly "Page is expired" with the links to the start of 
authenticationFlow and/or with go to last step. Anything more tricky 
functionality (track history with real "rollback" of some authentication 
/ requiredAction / registration actions etc) is beyond the scope of 
this, so I am likely not going to do anything related to it.

- I have the most important flows working (login, registration, required 
actions, consents, reset password). There are still many TODOs and 
non-working flows (eg. brokering) and also many failing tests. But 
hopefully in 1-2 weeks I will be able to have this more stable and send 
PR for it.

- In the branch, I have also cherry-picked some initial work by Hynek on 
"action tokens". This is used in reset password flow. I think that Hynek 
will send separate email around this later with more details.

[1] https://github.com/mposolda/keycloak/tree/cross-dc2


More information about the keycloak-dev mailing list