[keycloak-dev] User/ClientSession for Offline Access Management Issue (lost, never recovered and unused one left on DB everlastingly)

田畑義之 / TABATA,YOSHIYUKI yoshiyuki.tabata.jy at hitachi.com
Tue Oct 29 20:22:10 EDT 2019


Hello,



# This is Yoshiyuki Tabata writing on behalf of Takashi Norimatsu.



I've used the keycloak (4.8.3.Final) in clustering environment and managed about 500k user sessions for Offline Access. I've encountered the following 2 problems :



[Problems]



(i) Still valid User/Client Session for Offline Access are lost, meaning lost on the infinispan cache (offlineSessions, offlineClientSessions) of every keycloak node in the cluster.



(ii) Such the lost User/Client Session for Offline Access are left on DB everlastingly.



As for (i), it seems to be reasonable for ordinal SSO UserSession/ClientSession. However, it seems not to be reasonable for persisted User/Client Session for Offline Access on DB.



As for (ii), the size of unused resources on DB seems to increase so that it is the problem.





I think such the problems seem to occur in the following clustering environment :



[Environment]



(a) Infinispan setting owners=1 for offlineSessions and offlineClientSessions



At least one keycloak node is down.

The actual case has been reported on https://issues.jboss.org/browse/KEYCLOAK-11829.



(b) # of keycloak nodes is larger than the value of owners for offlineSessions and offlineClientSessions



The keycloak nodes are down more than or equal to the value of owners simultaneously.



(c) # of keycloak nodes is equal to the value of owners for offlineSessions and offlineClientSessions & The size of the caches of offlineSessions and offlineClientSessions are bounded.



The active User/Client Session for Offline Access is evicted from the Infinispan cache.





I think the current workaround of these problems is as follows :



* Shut down all keycloak nodes.

* Reboot one keycloak node.



To do so, rebooted keycloak node recovers all of User/Client Session for Offline Access from DB to infinispan cache.



However, as reported on https://issues.jboss.org/browse/KEYCLOAK-11019, downtime tends to be long in the situation that vast number of User/Client Session for Offline Access exist in DB, and it seems not to be acceptable.



To get around it, what do you think about the following idea?



* If some User/Client Session for Offline Access are searched on the infinispan cache and not found, try to search it on DB.



I know it seems to increase disk access, so needs to consider this point.



Regards,

Yoshiyuki Tabata (On behalf of Takashi Norimatsu)

Hitachi, Ltd.





More information about the keycloak-dev mailing list