New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jpa Map Storage: locked user sessions lead to read timeouts #13348
Comments
After pairing with @hmlnarik and trying an approach based on short-lived transactions that locks the user session only when changes are made (for example to the session's state), the original deadlock seems to be gone. Link to branch with changes: https://github.com/sguilhen/keycloak/tree/wip-deadlock However, running all broker tests revealed a couple of issues: To reproduce, simply run this test using the VM parameters described above. Happens with both databases. 2- Changing user session state in separate transaction seems to be needed for the 3- Some tests occasionally show this exception in the logs, but are still green:
This seems sensitive to timing - when debugging some tests I was able to get this exception to show more often than when running the test with no breakpoints - and is not always reproducible for a particular test. I think it might have something to do with the last session refresh that happens when the logout endpoint validates the identity token on |
…in logout transaction commits. - This also fixes broker test failures with CockroachDB Closes keycloak#13348 Closes keycloak#13212 Closes keycloak#13214
Describe the bug
When running the broker tests, the logout process ends up with exceptions like the one bellow:
And this happens because the requests exchanged between the
consumer
andproducer
logout endpoints attempt to lock the same user session:AbstractBaseBrokerTest.logoutRealm
ends up calling theLogoutEndpoint.logoutConfirmAction
on theconsumer
endpoint, which proceeds with the browser logout that locks the user session and that at some point sends a logout request to theprovider
endpoint. Relevant call stack up to this point:provider
logout endpoint proceeds with the logout until it sends ak_logout
request back to theconsumer
. Relevant stack:KeycloakOIDCIdentityProvider.backchannelLogout
endpoint, and at this method, in line 105, attempts to lock the user sessionThe request is now waiting for the user session that was locked in step 1, and the deadlock is only undone when the
Read timed out
exception is thrown, wihch allows the first request to proceed and release the lock.This happens with both PostgreSQL and CockroachDB.
Version
main
Expected behavior
Broker logout logic shouldn't get stuck on a deadlock where multiple requests are trying to lock the same user sessions
Actual behavior
No response
How to Reproduce?
1- Setup CockroachDB according to the instructions in #9596
2- Using the IDE, run any broker test (for example,
ExternalKeycloakRoleToRoleMapperTest
) with the following VM options:For CRDB adjust the connection port to 26257
Anything else?
No response
The text was updated successfully, but these errors were encountered: