What does temporary database downtime mean for the Keycloak service?

Hey. I’m trying to decide what availability we need on our KC database-cluster. We have very high availability requirements on authenticating users, and our typical authentication flow involve federation to another external IdP. How is this service affected by a temporary database failure, i.e. during a failover? I’ve read that there is a cache in front of the database. Can we depend on this cache to maintain service somehow? Or will an unreachable database immediately result in inability to login? Users being logged out due to some failure (and having to login again) is of no consequence.

If Keycloak needs something from the DB what is not already in the cache, it will - of course - fail if the DB is not available. Just having the cache doesn’t mean that everything is in the cache, just because it’s there.
So, when a user tries to authenticate and it hasn’t been there for the configured cache period, Keycloak won’t have the users data in the cache and it must pick it up from the DB… not matter if the user authenticates against an external IdP or not, there’s always a local representation of this user.

Already authenticated users won’t be logged out if the DB is not available, b/c sessions only live in the cache, they are not stored in the DB. But when an authenticated user tries to refresh a token, there might be DB calls necessary, then, token refresh will fail.

SSO and IAM systems are by design a single point of failure and can bring down your complete application landscape. So, spending very much effort in high availability is recommended and appreciated!


Thanks for a great answer dasniko! What you say makes total sense.

Our most important users will be a few known (5~) services that integrate with our API. They will use the API pretty much every minute. It sounds like it is possible to configure the cache so that these users’ data will be in the cache all the time. Am I right?

Are authorization services also covered by the cache? I.e., will Keycloak be able to evaluate permissions without reading from DB?

Yes, you can configure the cache in the standalone(-ha).xml, somewhere under the infinispan-subsystem. Use the JBoss-CLI to modify the configuration, not directly in the XML.
For more details, how to configure Infinispan, please consult the Infinispan docs.

I don’t know about authorization, as I don’t use authZ services from Keycloak. But I didn’t see anything in the cache config…

1 Like