We have a requirement to synchronise passwords and other data (users attributes) from the old platform to Keycloak. This functionality is implemented using the Keycloak API to update the user representation.
Sometimes, we have encountered an issue where the user is unable to log in to their account through Keycloak after updating their password. After some time it is possible again. We haven’t identified any issues with the synchronisation process, so I have started to consider that it might be due to the default cache configuration, which is not suitable for our requirements. Consequently, I have begun investigating the configuration of Keycloak caches.
I attempted to modify the ‘users’ cache, assuming it contains passwords and user attributes that need to be synchronised. However, the documentation is not clear on this matter and states the following:
‘users and related data like granted roles and group memberships.’
<distributed-cache name="users" owners="2">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<expiration max-idle="-1" lifespan="-1" interval="300000"/>
<memory max-count="-1"/>
</distributed-cache>
When trying to deploy Keycloak with such a configuration, I encountered multiple errors, primarily related to serialisation. Unfortunately, I couldn’t find any examples of modifying Keycloak caches, and I’m unsure whether the ‘users’ cache can be a different type than ‘local’.
I would like to know one or both of the following solutions:
- Is it possible to disable the users cache? If so, how can it be done? - YES, but probably it is not best to do?
- How can the users cache be properly set up as a distributed cache to ensure immediate synchronisation when there are changes to user representations? It is important that this cache is updated promptly across all instances.
Keycloak v21.0.2
Disabling users cache
<local-cache name="users" start="NONE">
</local-cache>