[keycloak-user] Keycloak Scalability Issues
Olivier Rivat
orivat at janua.fr
Mon May 6 14:37:23 EDT 2019
Hi,
I am surprised to see you having to consider that many session with a
session lifetime spann of about 8 months.
All the sessions are piling up, and at the end as you mention you can
end up with about 1 million sessions with scability issues.
I am wondering if you don't have a design issue.
A normal session is 10H, and session idletimeout is about 30mn.
Keycloak provide offline tokens that can last by 30 days, but could be
extended to much more (8 months - a year)
offline tokens handling will allow your application to generate new
access tokens (very short timelifespann), whithout having the need to
reauthenticate.
I guess it shoulds fulfill your needs.
see also:
http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/
http://www.janua.fr/understanding-token-usage-in-keycloak/
Regards,
Olivier Rivat
Le 03/05/2019 à 19:53, Dev Doongoor a écrit :
> Hello,
>
> I am looking for help regarding having Keycloak accommodate roughly a
> million, long-lived sessions.
> My setup: I have an externalized infinispan cluster which houses the
> clientSessions and sessions caches, and using Keycloak 4.8.0.
> The infinispan cluster can hold that many entries in each cache, however it
> seems Keycloak itself struggles with this.
> When I restart Keycloak (for whatever reason), it seems to attempt to load
> all sessions from infinispan into memory, which to me seems counter
> intuitive to using an externalized cache system.
> Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
> seems like I would have to clear all session data in order for the
> application to start up again.
> Also, session lifetime is expected to be 8 months to a year.
>
> My standalone-ha.xml for cache configuration looks like this:
> <replicated-cache name="sessions" statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket" passivation="false" cache=
> "sessions" shared="true" purge="false" preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> <replicated-cache name="clientSessions" statistics-enabled="true">
> <state-transfer timeout="600000" />
> <object-memory size="400000" />
> <remote-store remote-servers="infinispan-socket" cache="clientSessions"
> passivation="false" shared="true" purge="false" preload="false">
> <property name="rawValues">true</property>
> <property name="marshaller">
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> </remote-store>
> </replicated-cache>
>
> Is this correct? Is there a more efficient way to handle this?
>
> Thanks in advance,
>
> DKD
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
More information about the keycloak-user
mailing list