Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need way to housekeep records in DB #1574

22vincetsang opened this issue Sep 23, 2019 · 3 comments


Copy link

@22vincetsang 22vincetsang commented Sep 23, 2019

There are lots of records in Hydra DB that get accumulated over time and are never cleaned up.
The flush API (as I tested with 1.0) can only clean up access tokens as stated in documentation, but not records in at least these tables:

  • hydra_oauth2_authentication_request
  • hydra_oauth2_authentication_request_handled
  • hydra_oauth2_authentication_session
  • hydra_oauth2_code
  • hydra_oauth2_consent_request
  • hydra_oauth2_consent_request_handled
  • hydra_oauth2_pkce
  • hydra_oauth2_refresh

We need at minimum an API to flush all obsolete records, if not an automatic housekeeping mechanism which I understand isn't in place today for access tokens neither.

@aeneasr aeneasr added this to the v1.1.0 milestone Sep 23, 2019
@aeneasr aeneasr added the enhancement label Sep 23, 2019

This comment has been minimized.

Copy link

@aeneasr aeneasr commented Sep 23, 2019

Yes, so I checked and flush currently only clears up access tokens. Since this has not ever become an issue even in large deployments so far, I'm pushing the urgency back a bit.


This comment has been minimized.

Copy link

@aeneasr aeneasr commented Sep 23, 2019

PKCE is removed when it's being used, but it's still possible that old, dead entries are around if the authorize code is not used.


This comment has been minimized.

Copy link

@22vincetsang 22vincetsang commented Oct 2, 2019

Thanks, that's helpful - and I just verified the normal path won't create a record there. So it should be safe to clean up these pkce records then (still don't yet understand where they came from as the auth code should always be consumed immediately by our mobile app/spa... maybe there's some error case I'm not aware of...).

Looking forward to this enhancement so other DB tables can be handled too. It just seems not that trivial by looking at the other tables to identify which records are safe to delete so I dare not do so...

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.