Deleting a large number of single user sessions commands timeout

[Ketec]

Using REST, admin UI button or kcadm.sh cli - they all seem to rely on HTTP and time out.
The user in question has a large number of active sessions - ~1million. As a result of the integrations making new logins constantly (and the v20 client session timeout overrides not working).

This leads to very high memory consumption.

However, attempts to delete sessions led me to the timeouts. None of the options seem to be able to handle deleting them.

Are there ways to remove them directly, bypassing HTTP requests?
kc CLI failed eventually with HttpResponseException.

There is no external infinicache. It's a docker deployment of the Quarkus image.

[codespearhead]

There's something very wrong in your setup: it's either compromised or you're using the wrong OIDC auth flow for your use case.

Make sure to set a user session count limit.

If you're running a single Keycloak instance with the default embedded infinispan, restarting the Docker container is enough to get rid of all the server-side auth sessions.

[Ketec]

A full restart would unfortunately also kill all the sessions of the other users.

The session count built up because of a legacy api that does not hold tokens and logged in again with every request.

I did enable session count limit, but if limit I'd reached, it tries to remove old sessions - which at a high enough frequency caused heavy CPU load.

[codespearhead]

From what you've described it seems to be a server-side application, so you should either use Authorization Code Grant with PKCE or the Client Credentials Flow, neither of which creates server-side auth sessions. Hence, the root of the XY problem is the use of the incorrect OIDC auth flow. Additionally, sessions are not meant to be long-lived and cache is not meant to serve as long-term storage, so wiping it at any point in time should not have to be an issue.

However, considering the situation you have at hand, especially because you're dealing with legacy systems which implementation is probably out of your control, I suggest trying the following bash script since kcadm.sh doesn't support passing arguments to the underlying HTTP client as far as I know.

KEYCLOAK_BASE_URL="http://localhost:8080"
ADMIN_USERNAME="admin"
ADMIN_PASSWORD="admin"
REALM_NAME="master"
CLIENT_ID="admin-cli"

# 0. Make sure jq is installed. It'll help extract data from JSON responses.
jq --version

# 1. You probably already know the user id of the target user, so define it here.
# Conversely, you can run the commented code after getting the MASTER_TOKEN to list
# all the users in the realm.
USER_ID=
# curl --location --request GET "$KEYCLOAK_BASE_URL/admin/realms/$REALM_NAME/users" \
#  --header "Authorization: Bearer $MASTER_TOKEN" \
#  --header 'Content-Type: application/json' | jq .

# 2. Get Master Token

MASTER_TOKEN_URL=$(curl --location --request GET "$KEYCLOAK_BASE_URL/realms/$REALM_NAME/.well-known/openid-configuration" | jq -r '.token_endpoint')

MASTER_TOKEN=$(curl --location --request POST "$MASTER_TOKEN_URL" \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode "client_id=$CLIENT_ID" \
  --data-urlencode "username=$ADMIN_USERNAME" \
  --data-urlencode "password=$ADMIN_PASSWORD" \
  --data-urlencode 'grant_type=password' | \
  jq -r '.access_token')

# 3. Terminate all auth sessions of the target user

curl --location --request POST "$KEYCLOAK_BASE_URL/admin/realms/$REALM_NAME/users/$USER_ID/logout" \
  --header "Authorization: Bearer $MASTER_TOKEN" \
  --header 'Content-Type: application/json' \
  --connect-timeout 0 \
  --max-time 0