[keycloak-user] Persisting User Sessions in the DB?

[Jared Blashka]

I'm not sure why I never noticed this before, but I was doing some
investigation today and couldn't find any session information actually
populated in the DB tables.  Both USER_SESSION and CLIENT_SESSION were
empty.

After some digging in the code I saw that the only UserSesssionProvider
implementation is the Infinispan-based one and it looks like the only type
of user sessions that get persisted in the DB are offline sessions (via the
JpaUserSessionPersisterProvider).

Was there a particular reason a JpaUserSessionProvider doesn't exist?

Background: We're aiming to have a highly available+resilient active-active
multi-data center deployment of Keycloak. Ultimately, there should be no
customer impact if a particular data center fails; there should be no IDP
outage and they shouldn't have to log in again. We ran into issues with
asynchronous user data replication earlier, which is why we're currently
working on migrating our existing MariaDB cluster to use Galera (which has
been looking pretty good so far) but it looks like we mistakenly assumed
that this synchronous replication would also handle user session data.

Not replicating user session data across data centers is also going to
cause us problems (its already caused us problems actually) when it comes
to the OAuth authorization code flow as well. Since that flow involves
back-channel server communication we can't guarantee that the client server
will communicate with the same data center the client authenticated at. If
a client calls out to the "wrong" data center, the flow will fail.

I can spend some time tomorrow investigating the performance when
clustering infinispan across data centers, but I'm not particularly
optimistic about the results.

Any thoughts/comments on our problem?


Jared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/415453e8/attachment.html