Don't logout users during upgrades

Hello everyone,

in order to prepare an upgrade of our running Keycloak instance (18.x to 21.x) I started reading the upgrading guides. Right at the beginning, I stumbled across the following:

In a minor upgrade of Keycloak, all user sessions are lost. After the upgrade, all users will have to log in again.

My question is: Is there really no way to keep the active user sessions during an upgrade?

Thanks in Advance



it depends…
When you have a clustered Keycloak and the database tables are compatible (i. e. the old Keycloak version can also use the new database tables) and the Infinispan versions are compatible and you do a rolling upgrade, then the sessions are not lost.
We always test this in our testing environments. But as far as I remember from 18.x to 21.x (or something in between) the Infinispan cluster is not compatible and you will mess up your cluster.

For versions where the infinispan and object versions are the same, running a cluster and updating them one at a time should be sufficient. This is usually true for minor version upgrades.

For major version upgrades, it is necessary to use external infinispan in order to preserve sessions (and other distributed/remote caches). This is not documented well, and will likely require some experimentation on your part.