Persist session in JDBC store without using external infinispan cluster #10803
Comments
olivierboudet
added
kind/enhancement
|
Hi @mposolda Sorry to ping you directly, we are still wondering if proposing a PR on this is relevant or not ? |
|
I have the same issue. I am trying to configure a JDBC cache store for the sessions and no session is written to database because of this. This should be at least explained in the server installation documentation and it would be nice if a way to configure this could be provided. Otherwise any guidance on how to implement durable sessions should be provided. |
martin-kanis
added
area/storage
|
Hi, The below configuration (from standalone-ha.xml) worked until Keycloak legacy 19.0.3, with jdbc-store persistence, patching the Sessions and clientSessions are persisted and reloaded fine from PostgreSQL database. However, while upgrading to Quarkus 20.0.2, even if below Infinispan configuration works fine in persisting and reloading new sessions (still with the It is very close from the example you have committed here 2 months ago @thomasdarimont (thanks again for those useful examples) Here is the exception we got with this configuration, the causedBy tells this when trying to We tried without success with
instead of : Also tried (but with infinispan 13.0.10.Final only) the remote cache store configuration you have suggested @martin-kanis here in issue #13926, especially the Last forwarding step is to try with Infinispan 14.0.x.Final and Keycloak 20.0.3, if you have any other configuration input or testing ideas that I could try Do you think that we will not be able to handle and manage compatibility with both "old keycloak 19.0.3 legacy sessions" and "new KC 20.0.3 sessions" in the same ISPN database ? thanks a lot for any lead ! cc @hmlnarik as you assigned this issue to yourself ;-) |
|
I'd also like to be able to guarantee to never lose sessions by persisting them somehow. Is there any solution that works with latest keycloak? |
|
@daviddelannoy Can keycloak20 with Quarkus re-read the sessions from the database if all sessions were written from kc20 with your solution?
A couple of months ago I created a PoC which serialized these sessions into JSON from KC15-Wildfly (I think), and I was able to load these JSON objects into a KC18-Wildfly instance - and after that, the KC18 was able to handle those sessions. It was a proof of concept to migrate the sessions while upgrading the keycloak cluster. It still required some downtime, but I was able to move 10-15 sessions between keycloak versions. If you'd like to do something like that I'd give this a try. We never tried it on a larger userbase though, the decision was to log them out. |
|
Hi @vilmosnagy If sessions were written by a kc20 (so Quarkus) to the database, yes it works fine, they are loaded on startup. It is only between a kc19.x.x-wildfly and a kc20-quarkus that session unmarshalling is broken |
|
Yeah, but that was broken during previous updates as well (eg.: KC15Wildfly -> KC18Wildfly). I've tried something similar, but it was a proof of concept and never tried with more than ~15 sessions. class InternalSessionExportImport {
@SuppressWarnings("unchecked")
public InternalSessionExportImport(KeycloakSession session) {
this.session = session;
var userSessionProvider = (InfinispanUserSessionProvider) session.getProvider(UserSessionProvider.class);
var rootAuthSessionProvider = (InfinispanAuthenticationSessionProvider) session.getProvider(AuthenticationSessionProvider.class);
final var sessionCacheField = InfinispanUserSessionProvider.class.getDeclaredField("sessionCache");
sessionCacheField.setAccessible(true);
final var clientSessionCacheField = InfinispanUserSessionProvider.class.getDeclaredField("clientSessionCache");
clientSessionCacheField.setAccessible(true);
final var rootAuthSessionCacheField = InfinispanAuthenticationSessionProvider.class.getDeclaredField("cache");
rootAuthSessionCacheField.setAccessible(true);
this.sessionCache = (org.infinispan.Cache<String, SessionEntityWrapper<UserSessionEntity>>) sessionCacheField.get(userSessionProvider);
this.clientSessionCache = (Cache<UUID, SessionEntityWrapper<AuthenticatedClientSessionEntity>>) clientSessionCacheField.get(userSessionProvider);
this.rootAuthSessionCache = (Cache<UUID, RootAuthenticationSessionEntity>) rootAuthSessionCacheField.get(rootAuthSessionProvider);
}
public void sessions() throws Exception {
var sessionList = new ArrayList<SessionEntityWrapper<UserSessionEntity>>();
var clientSessionList = new ArrayList<SessionEntityWrapper<AuthenticatedClientSessionEntity>>();
int size = sessionCache.keySet().size();
for (String s : sessionCache.keySet()) {
final var value = sessionCache.get(s);
sessionList.add(value);
}
size = clientSessionCache.keySet().size();
for (UUID key : clientSessionCache.keySet()) {
final var value = clientSessionCache.get(key);
clientSessionList.add(value);
}
// serialize sessionList & clientSessionList _somewhere_ to string (json?)
// and on the newer keycloak versions we could deserialize them and put them back to the cache
}
} |
Closes keycloak#10803 Closes keycloak#24766 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: daviddelannoy <16318239+daviddelannoy@users.noreply.github.com>
Closes keycloak#10803 Closes keycloak#24766 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: daviddelannoy <16318239+daviddelannoy@users.noreply.github.com> Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
Description
We need to store session in a JDBC store, but the flag
SKIP_CACHE_STOREhas been introduced in commit KEYCLOAK-4187 Added UserSession support for cross-dc prevents writing in the store.Thomas Darimont has proposed a patch in a previous discussion (https://groups.google.com/g/keycloak-dev/c/sOBzG76f2FE) and @mposolda seemed to approve the idea to be able do disable this flag (https://lists.jboss.org/pipermail/keycloak-dev/2018-August/011089.html). There was no change since then (2018).
At the moment, we have not found any way to natively store sessions in a JDBC store. Because of this, we are considering to use in production ( 😨 ) a workaround deploying a custom
keycloak-infinispan-modelsjar. Moreover, we are wondering if this will be compatible with the future Quarkus new store.Should we propose a new PR allowing to enable the
SKIP_CACHE_STOREflag only when a remote-store is present in configuration ? Is there any chance that this PR will be approved ?We were able to persist sessions with an external infinispan cluster with jdbc store, but this leads us to a new blocking issue : #10577
Discussion
https://groups.google.com/g/keycloak-dev/c/sOBzG76f2FE
Motivation
Business needs to guarantee to never lose user sessions
Details
We may detect if a remote-store is in used by reading the infinispan configuration. Only if this is the case, the SKIP_CACHE_STORE flag should be added on
CacheDecorators.skipCacheStoreandCacheDecorators.skipCacheLoaders.The text was updated successfully, but these errors were encountered: