Replies: 9 comments 34 replies
-
The first set of features are now available in the nightly build. I've updated the description. |
Beta Was this translation helpful? Give feedback.
-
Is Keycloak with It will use the database cache, so we hope it would run reasonable fast. If this is case, it would simplify the code of Keycloak a lot, and the data would always be consistently stored in Keycloak's database, and you need to worry less about Keycloak's JVM memory usage. Please comment here with your findings - possibly with your logins per second and number of concurrent user sessions. Thanks! |
Beta Was this translation helpful? Give feedback.
-
Some production statistics :
count from ISPN database persistence (right now with the hacky
8 vCPU / 32 Go RAM, huge JVM around 20 Go (way too big, it has to be reviewed following recent guide and benchmark results) with most of users and user sessions in cache. CPU usage is low on both instances (KC & database), they are oversized for current trafic. NOTE: delay to get a refresh token has increased a lot between KC 20 and KC 22, from 40 ms to 220 ms with the same infrastructure, a little bit more sessions but not too much. We did not take time to investigate more on this. |
Beta Was this translation helpful? Give feedback.
-
I've been tracking this discussion and its tendrils across github, trying to figure out what problem "persistent user sessions" solves to begin with.... Or to be honest, if it adressess a specific use case of mine: Will this feature allow users to remain offline for a "long" time (say 30 days), and be able to silently log back in again? (the goal being to make it as easy as possible for the user to continue using the application). From what I understand, this can be mimicked by misuing an offline token, but I also have been told that this is not what offline tokens are meant for (which is that they are meant for executing authorized tasks when the user is not online) and may introduce unneccessary security risks. Thinking about it, it seems that there is always additional risk involved by allowing this (since a token or some sort of password must always be stored on the, potentially vulnerable, client, but it seems to be acceptable for big apps like Gmail, and even secure apps like Protonmail. Thanks for any clarification! |
Beta Was this translation helpful? Give feedback.
-
@mhajas @ahus1 Really happy to see the progress on this. Per #27976 (comment) I'm curious if this will also (eventually) encompass User Sessions, Authentication Sessions, User Login Failures, and Single Use Objects. We have a similar experiment for all the "cached" objects using JPA via the |
Beta Was this translation helpful? Give feedback.
-
Hi All, We use Keycloak, and currently, version 23.0.7 is live. Our issue is that the session breaks when we modify a theme during a new deployment (unfortunately, every update for us involves theme modification), causing sessions to be cleared and users to be logged out, which is very inconvenient. We believe that #28271 would solve our problem. Therefore, our question is, when can we expect the deployment of this ticket? We tested the nightly, and it looks fine prefer not to deploy nightly builds into production Is there any plan that when you will deliver this development? :) Thank you in advance for your assistance and information :) |
Beta Was this translation helpful? Give feedback.
-
Will this change also allow (or at least make it easier) to display recently expired sessions for users in the account console? I am assuming that since Infinispan is a cache, it's a bit harder to query for all user sessions, including expired ones, and clearing the information from the cache as soon as possible is best. It would be a pretty good boon from a security standpoint to be able to review recent user sessions, similar to how Microsoft displays such information. |
Beta Was this translation helpful? Give feedback.
-
@ahus1 If the account REST API is still there for this then I guess it wouldn't hurt to add this function back in. If the REST API is missing then that probably means someone had a very good reason for getting rid of it. Maybe open a discussion on the dev list? |
Beta Was this translation helpful? Give feedback.
-
I don't have much to add other than that this would be well received by our users. |
Beta Was this translation helpful? Give feedback.
-
One of the biggest pain points of Keycloak is currently losing sessions on restarts. There were countless complaints on this, including a lot of workarounds that are usually unsupported and come with some trade-offs.
The current approach for storing sessions has become a blocker for active/active multi-site support that we are currently pursuing and therefore we needed to rethink this approach. While brainstorming a new approach we came up with a conclusion that we should also include durable sessions as that feature was already on our radar.
This is now part of Keycloak 25, see https://www.keycloak.org/docs/latest/upgrading/index.html#persistent-user-sessions for more details on how to migrate. Please provide your feedback here (where it works, and were it should be enhanced).
Idea
The current behavior of Keycloak is that online sessions are stored only in Infinispan while offline sessions are also stored in the database. Therefore, the new feature's main idea is to store online sessions in the same table structure.
Plans
To follow this work proceed to the following GitHub epic: #28265
Highlights of the Keycloak 25 release
How to test
Download Keycloak 25 or later
Run Keycloak with the
persistent-user-sessions
feature. Proceed to the following guide on how to enable/disable Keycloak features.Example command in development mode:
To confirm that online sessions are stored in the database check the database table
offline_user_session
contains rows withoffline_flag
column equal to0
.Beta Was this translation helpful? Give feedback.
All reactions