Deleting a large number of single user sessions commands timeout #29090
Replies: 2 comments 1 reply
-
There's something very wrong in your setup: it's either compromised or you're using the wrong OIDC auth flow for your use case. Make sure to set a user session count limit. If you're running a single Keycloak instance with the default embedded infinispan, restarting the Docker container is enough to get rid of all the server-side auth sessions. |
Beta Was this translation helpful? Give feedback.
-
A full restart would unfortunately also kill all the sessions of the other users. The session count built up because of a legacy api that does not hold tokens and logged in again with every request. I did enable session count limit, but if limit I'd reached, it tries to remove old sessions - which at a high enough frequency caused heavy CPU load. |
Beta Was this translation helpful? Give feedback.
-
Using REST, admin UI button or kcadm.sh cli - they all seem to rely on HTTP and time out.
The user in question has a large number of active sessions - ~1million. As a result of the integrations making new logins constantly (and the v20 client session timeout overrides not working).
This leads to very high memory consumption.
However, attempts to delete sessions led me to the timeouts. None of the options seem to be able to handle deleting them.
Are there ways to remove them directly, bypassing HTTP requests?
kc CLI failed eventually with HttpResponseException.
There is no external infinicache. It's a docker deployment of the Quarkus image.
Beta Was this translation helpful? Give feedback.
All reactions