[keycloak-user] Keycloak Scalability Issues

DKD dr.doon+keycloak at gmail.com
Tue May 7 14:41:55 EDT 2019


Thanks for your reply and the links. Offline tokens don't really apply in
this use case, since there aren't any offline operations that are happening
when the user isn't active, and we'd need the
I'd imagine if the tokens are somewhat permanent in nature, with such a
long lived timeout, that infinispan + backing store can still be used just
as L1/L2 caches.
Loading them all into main memory, makes the remote store somewhat useless
- unless the purpose of the remote stores are for coordination and cluster
synchronization, and not for performance reasons.

However, I strongly suspect we are not configuring things correctly. For
example, we did not set the `Revoke Refresh Token` flag to true, so a new
refresh token was always issued and kept around. That may probably help.

For reference, here are other timeout settings that I have configured:

SSO Session Idle = 30 days;
SSO Session Max = 1825 Days;
No "remember me" values set.
Offline session idle = 30 days
Access token lifespan = 20 minutes;
Access token lifespan for implicit flow = 15 minutes

Thanks again,
DKD

On Mon, May 6, 2019 at 3:02 PM Olivier Rivat <orivat at janua.fr> wrote:

> Hi,
>
> I am surprised to see you having to consider that many session with a
> session lifetime spann of about 8 months.
> All the sessions are piling up, and at the end as you mention you can
> end up with about 1 million sessions with scability issues.
>
> I am wondering if you don't have a design issue.
> A normal session is 10H, and session idletimeout is about 30mn.
> Keycloak provide offline tokens that can last by 30 days, but could be
> extended to much more (8 months - a year)
> offline tokens handling will allow your application to generate new
> access tokens (very short timelifespann), whithout having the need to
> reauthenticate.
>
> I guess it shoulds fulfill your needs.
>
> see also:
>
> http://www.janua.fr/examples-of-offline-token-usage-in-keycloak/
>
> http://www.janua.fr/understanding-token-usage-in-keycloak/
>
>
>
> Regards,
>
> Olivier Rivat
>
>
>
>
>
>
> Le 03/05/2019 à 19:53, Dev Doongoor a écrit :
> > Hello,
> >
> > I am looking for help regarding having Keycloak accommodate roughly a
> > million, long-lived sessions.
> > My setup: I have an externalized infinispan cluster which houses the
> > clientSessions and sessions caches, and using Keycloak 4.8.0.
> > The infinispan cluster can hold that many entries in each cache, however
> it
> > seems Keycloak itself struggles with this.
> > When I restart Keycloak (for whatever reason), it seems to attempt to
> load
> > all sessions from infinispan into memory, which to me seems counter
> > intuitive to using an externalized cache system.
> > Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
> > seems like I would have to clear all session data in order for the
> > application to start up again.
> > Also, session lifetime is expected to be 8 months to a year.
> >
> > My standalone-ha.xml for cache configuration looks like this:
> > <replicated-cache name="sessions" statistics-enabled="true">
> > <state-transfer timeout="600000" />
> > <object-memory size="400000" />
> > <remote-store remote-servers="infinispan-socket" passivation="false"
> cache=
> > "sessions" shared="true" purge="false" preload="false">
> > <property name="rawValues">true</property>
> > <property name="marshaller">
> >
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> > </remote-store>
> > </replicated-cache>
> >
> > <replicated-cache name="clientSessions" statistics-enabled="true">
> > <state-transfer timeout="600000" />
> > <object-memory size="400000" />
> > <remote-store remote-servers="infinispan-socket" cache="clientSessions"
> > passivation="false" shared="true" purge="false" preload="false">
> > <property name="rawValues">true</property>
> > <property name="marshaller">
> >
> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
> > </remote-store>
> > </replicated-cache>
> >
> > Is this correct? Is there a more efficient way to handle this?
> >
> > Thanks in advance,
> >
> > DKD
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list