[keycloak-user] Infinispan clustered sessions not being cleaned up after they expire.

Marc Wijma M.Wijma at edu-actief.nl
Thu Nov 14 05:30:10 EST 2019 

Hi,

We see user sessions not expiring/cleaned up after the session max is expired (we see sessions being present of 2-3 days old in the session overview in the admin area). Since we are using a session limit per user (custom authenticator) this is a problem, since users experience blocked access due to false assumed # active sessions (expired sessions count as active ones).

The used code in our authenticator 4 checking how many active users sessions there are, is checking the .size() function on the cache object. According to infinispan documentation (https://infinispan.org/docs/9.4.x/user_guide/user_guide.html#expiration_details), on such a call lazy configured sessions should be invalidated and not counted in. NOTE this in in a higher infinispan version in the docs of version 7, nothing of this is mentioned. Alse this is valid in a local cache setup. I am under the impression that in a clustered setup this is not the case? You need to actively cleanup those sessions yourself (configure the reaper??). Out of the box config in keycloak is not giving any insight how this works and if a reaper is configured.

Is my assumption correct that configuring a reaper would solve my problems and how would that configuration look like???

Background:

We use keycloak 4.8.3 in a load balanced environment (A10, ssl offloading) 2 vps machines with infinispan 7 as a replicated caching mechanism between the machines.

Session settings (adminarea: realm settings > tokens)
- SSO Session Idle: 30 min
- SSO Session Max 10 Hours
- SSO Session Idle Remember Me 0 minutes
- SSO Session Max Remember Me 30 days

Code snippet in custom authenticator checking amount of active sessions:
      // Get the session count in this realm for this specific user
        List<UserSessionModel> userSessionsForRealm = session.sessions().getUserSessions(context.getRealm(), context.getUser());
        int userSessionCountForRealm = userSessionsForRealm.size();

        // Get the session count related to the current client for this user
        ClientModel currentClient = context.getAuthenticationSession().getClient();
        logger.debugf("Client: %s", currentClient.getClientId());

        List<UserSessionModel> userSessionsForClient = userSessionsForRealm.stream().filter(session -> session.getAuthenticatedClientSessionByClient(currentClient.getId()) != null).collect(Collectors.toList());
        int userSessionCountForClient = userSessionsForClient.size();

We have configured infinispan as followed in standalone-ha.xml (basically as is out of the box):

<subsystem xmlns="urn:jboss:domain:ejb3:5.0">
…
<caches>
          <cache name="simple"/>
          <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/> </caches> <passivation-stores>
                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/> </passivation-stores> … </subsystem> …… <subsystem xmlns="urn:jboss:domain:infinispan:7.0">
            <cache-container name="keycloak">
                <transport lock-timeout="60000"/>
                <local-cache name="realms">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="users">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="authorization">
                    <object-memory size="10000"/>
                </local-cache>
                <local-cache name="keys">
                    <object-memory size="1000"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
                <replicated-cache name="work"/>
                <distributed-cache name="sessions" owners="1"/>
                <distributed-cache name="authenticationSessions" owners="1"/>
                <distributed-cache name="offlineSessions" owners="1"/>
                <distributed-cache name="clientSessions" owners="1"/>
                <distributed-cache name="offlineClientSessions" owners="1"/>
                <distributed-cache name="loginFailures" owners="1"/>
                <distributed-cache name="actionTokens" owners="2">
                    <object-memory size="-1"/>
                    <expiration interval="300000" max-idle="-1"/>
                </distributed-cache>
            </cache-container>
            ……





Marc Wijma
senior ontwikkelaar
T 0522 235 235
M.Wijma at edu-actief.nl
www.edu-actief.nl
Meppel (Stationsweg 66)

Edu'Actief
Boom beroepsonderwijs

Stationsweg 66
7941 HG Meppel
Postbus 1056
7940 KB Meppel


--------------------------------------------------------------------
De inhoud van dit bericht is uitsluitend bestemd voor geadresseerde.
Gebruik van dit bericht door anderen zonder toestemming van
Edu'Actief is onrechtmatig. Is dit bericht niet voor u bestemd?
Meld dit a.u.b. aan de afzender en verwijder dit bericht. Aan de
inhoud van dit bericht kunnen geen rechten worden ontleend.
--------------------------------------------------------------------

More information about the keycloak-user mailing list