Offline session loading optimization on Keycloak start up

Getting advice
#1

Hi,

We are using Keycloak with this helm chart: https://hub.helm.sh/charts/codecentric/keycloak

We are using offline tokens for most of our users and we are experiencing the same issues as this topic: Slow startup with a million records of Offline_user_session

We are looking some advice or best practices regarding these questions:

  • Is it possible to delay offline session loading ? To have keycloak ready to take login request and keep loading offline token in the meantime. We can take the risk to have to user who must login again because its token is not loaded yet instead of having the keycloak completely down.
  • Keycloak start up seems very CPU intensive on our postgres database. Our database is almost never above 2% CPU except when keycloak starts and can take up to 60% (sometimes more). So we are forced to upgrade out server configuration just for the keycloak startup. Do you have suggestions to reduce this CPU impact or clue of what is the root cause ?

I also have some questions about cache owners:

  • If I have 2 keycloak pods with cache_owner == 2 (that’s what we have), each pods which have all the offline sessions loaded ?
  • Now what happens if 1 of them dies ? If I understand correctly, when a new pod will be created, it will have to load all offline sessions ?
  • If cache_owner == 1 and one of the 2 pods dies, half of the offline session are now considered as invalid? Does the new pod will load only half of the offline sessions ? If this is true, it means that decreasing cache_owner integer will improve keycloak start up time and CPU impact ?
  • Is a keycloak pod faster to load when other pod are already live or not ?

That’s a lot of questions but even if you have the answers for only few of them I would be very grateful.

Best regards,
CiTy

#2

Hello. Does anyone have a answer for this topic?

#3

Hey ArmanGhost, i asked a simular question on a post we discussed…

So no answers but more questions:

  • is it possible to disable offline token caching so that always databae is used ??
    I tried with change memory object size of the infinspan cache, but it resulted in duplicate insert errors
  • Is it possible to set owner to 0 or can keycloak not work without infinspan cache ?

This because wie went from online sessions to offline because during deplloyment all our pods hang for half an hour so users can not login anymore… This because infispan is locking everyting…
So thats why we started pilot with offline sessions. Online sessions we set to idle time of half a day (to reduce the number from 100 thousands to thousand), and use offline session to let people login again through offline session (and create online session from that).
But if offline is also all in memory we have simular issue… or do you not have problems during restart of 1 of the 2 pods with blocking cache, which means user get timeouts… ?