From b9498b91cbc12cfc81f86e4c120b481c19b58e48 Mon Sep 17 00:00:00 2001 From: Alexander Schwartz Date: Tue, 16 Jan 2024 09:29:01 +0100 Subject: [PATCH] Deprecating the offline session preloading (#26160) Closes #25300 Signed-off-by: Alexander Schwartz --- .../main/java/org/keycloak/common/Profile.java | 2 ++ .../java/org/keycloak/common/ProfileTest.java | 12 ++++++------ .../release_notes/topics/24_0_0.adoc | 8 ++++++++ .../server_admin/topics/sessions/preloading.adoc | 3 ++- .../upgrading/topics/keycloak/changes-24_0_0.adoc | 15 +++++++++++++++ .../infinispan/InfinispanUserSessionProvider.java | 6 ++++++ .../InfinispanUserSessionProviderFactory.java | 4 ++++ ...ommandDistTest.testBuildHelp.unix.approved.txt | 13 +++++++------ ...andDistTest.testBuildHelp.windows.approved.txt | 13 +++++++------ ...mmandDistTest.testExportHelp.unix.approved.txt | 13 +++++++------ ...ndDistTest.testExportHelpAll.unix.approved.txt | 13 +++++++------ ...mmandDistTest.testImportHelp.unix.approved.txt | 13 +++++++------ ...ndDistTest.testImportHelpAll.unix.approved.txt | 13 +++++++------ ...andDistTest.testStartDevHelp.unix.approved.txt | 13 +++++++------ ...DistTest.testStartDevHelpAll.unix.approved.txt | 13 +++++++------ ...ommandDistTest.testStartHelp.unix.approved.txt | 13 +++++++------ ...andDistTest.testStartHelpAll.unix.approved.txt | 13 +++++++------ .../org/keycloak/models/UserSessionProvider.java | 8 ++++++++ .../protocol/oidc/endpoints/LogoutEndpoint.java | 4 ++++ .../tests/base/src/test/resources/arquillian.xml | 8 ++++---- testsuite/model/pom.xml | 4 ++++ 21 files changed, 133 insertions(+), 71 deletions(-) diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java index 2e70768ae6..a4290b0390 100755 --- a/common/src/main/java/org/keycloak/common/Profile.java +++ b/common/src/main/java/org/keycloak/common/Profile.java @@ -102,6 +102,8 @@ public class Profile { TRANSIENT_USERS("Transient users for brokering", Type.EXPERIMENTAL), MULTI_SITE("Multi-site support", Type.PREVIEW), + + OFFLINE_SESSION_PRELOADING("Offline session preloading", Type.DEPRECATED), ; private final Type type; diff --git a/common/src/test/java/org/keycloak/common/ProfileTest.java b/common/src/test/java/org/keycloak/common/ProfileTest.java index c57e5d6b71..d58c99e7fa 100644 --- a/common/src/test/java/org/keycloak/common/ProfileTest.java +++ b/common/src/test/java/org/keycloak/common/ProfileTest.java @@ -1,5 +1,7 @@ package org.keycloak.common; +import org.hamcrest.MatcherAssert; +import org.hamcrest.Matchers; import org.junit.After; import org.junit.Assert; import org.junit.BeforeClass; @@ -81,7 +83,8 @@ public class ProfileTest { Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL, - Profile.Feature.LINKEDIN_OAUTH + Profile.Feature.LINKEDIN_OAUTH, + Profile.Feature.OFFLINE_SESSION_PRELOADING )); // KERBEROS can be disabled (i.e. FIPS mode disables SunJGSS provider) @@ -245,14 +248,11 @@ public class ProfileTest { } public static void assertEquals(Set actual, Collection expected) { - assertEquals(actual, expected.toArray(new Profile.Feature[0])); + MatcherAssert.assertThat(actual, Matchers.equalTo(expected)); } public static void assertEquals(Set actual, Profile.Feature... expected) { - Profile.Feature[] a = actual.toArray(new Profile.Feature[0]); - Arrays.sort(a, new FeatureComparator()); - Arrays.sort(expected, new FeatureComparator()); - Assert.assertArrayEquals(expected, a); + assertEquals(actual, new HashSet<>(Arrays.asList(expected))); } private static class FeatureComparator implements Comparator { diff --git a/docs/documentation/release_notes/topics/24_0_0.adoc b/docs/documentation/release_notes/topics/24_0_0.adoc index fb87d90a00..c7bc73b9fd 100644 --- a/docs/documentation/release_notes/topics/24_0_0.adoc +++ b/docs/documentation/release_notes/topics/24_0_0.adoc @@ -125,6 +125,14 @@ will be shown. In addition to that, a new error (`EMAIL_ALREADY_VERIFIED`) event will be fired to indicate an attempt to verify an already verified email. You can use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action. += Deprecated offline session preloading + +The default behavior of Keycloak is to load offline sessions on demand. +The old behavior to preload them at startup is now deprecated, as pre-loading them at startup doesn't scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release. + +For more details, check the +link:{upgradingguide_link}[{upgradingguide_name}]. + = Infinispan metrics use labels for cache manager and cache names When enabling metrics for {project_name}'s embedded caches, the metrics now use labels for the cache manager and the cache names. diff --git a/docs/documentation/server_admin/topics/sessions/preloading.adoc b/docs/documentation/server_admin/topics/sessions/preloading.adoc index a159d3619d..9f90427122 100644 --- a/docs/documentation/server_admin/topics/sessions/preloading.adoc +++ b/docs/documentation/server_admin/topics/sessions/preloading.adoc @@ -9,10 +9,11 @@ Therefore, the offline sessions are lazily fetched from the database by default. However, {project_name} can be configured to preload the offline sessions from the database into the Infinispan caches during the server startup. It can be achieved by setting `preloadOfflineSessionsFromDatabase` property in the `userSessions` SPI to `true`. +This functionality is currently deprecated and will be removed in a future release. The following example shows how to configure offline sessions preloading. [source,bash] ---- -bin/kc.[sh|bat] start --spi-user-sessions-infinispan-preload-offline-sessions-from-database=true +bin/kc.[sh|bat] start --features-enabled offline-session-preloading --spi-user-sessions-infinispan-preload-offline-sessions-from-database=true ---- diff --git a/docs/documentation/upgrading/topics/keycloak/changes-24_0_0.adoc b/docs/documentation/upgrading/topics/keycloak/changes-24_0_0.adoc index 079ba9c7a2..cfdc6a71c5 100644 --- a/docs/documentation/upgrading/topics/keycloak/changes-24_0_0.adoc +++ b/docs/documentation/upgrading/topics/keycloak/changes-24_0_0.adoc @@ -155,6 +155,21 @@ Therefore, it was changed to sequential session loading. For offline sessions, the default in this and previous versions of Keycloak is to load those sessions on demand, which scales better with a lot of offline sessions than the attempt to preload them in parallel. Setups that use this default setup are not affected by the change of the loading strategy for offline sessions. Setups that have offline session preloading enabled should migrate to a setup where offline-session preloading is disabled. += Deprecated offline session preloading + +The default behavior of Keycloak is to load offline sessions on demand. +The old behavior to preload them at startup is now deprecated, as preloading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. +The old behavior will be removed in a future release. + +To re-enable old behavior while it is deprecated and not removed yet, use the feature flag and the SPI option as shown below: + +[source,bash] +---- +bin/kc.[sh|bat] start --features-enabled offline-session-preloading --spi-user-sessions-infinispan-preload-offline-sessions-from-database=true +---- + +The API of `UserSessionProvider` deprecated the method `getOfflineUserSessionByBrokerSessionId(RealmModel realm, String brokerSessionId)`. +Instead of this method, use `getOfflineUserSessionByBrokerUserIdStream(RealmModel, String brokerUserId)` to first get the sessions of a user, and then filter by the broker session ID as needed. = Infinispan metrics use labels for cache manager and cache names diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java index 9bb122b682..379d1dcd9e 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java @@ -385,6 +385,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { } if (predicate.getBrokerSessionId() != null) { + if (!Profile.isFeatureEnabled(Profile.Feature.OFFLINE_SESSION_PRELOADING)) { + throw new RuntimeException("The deprecated offline session preloading feature is disabled in this configuration. Read the migration guide to learn more."); + } // TODO add support for offline user-session lookup by brokerSessionId // currently it is not possible to access the brokerSessionId in offline user-session in a database agnostic way throw new ModelException("Dynamic database lookup for offline user-sessions by broker session ID is currently only supported for preloaded sessions. " + @@ -813,6 +816,9 @@ public class InfinispanUserSessionProvider implements UserSessionProvider { @Override public UserSessionModel getOfflineUserSessionByBrokerSessionId(RealmModel realm, String brokerSessionId) { + if (!Profile.isFeatureEnabled(Profile.Feature.OFFLINE_SESSION_PRELOADING)) { + throw new RuntimeException("The deprecated offline session preloading feature is disabled in this configuration. Read the migration guide to learn more."); + } return this.getUserSessionsStream(realm, UserSessionPredicate.create(realm.getId()).brokerSessionId(brokerSessionId), true) .findFirst().orElse(null); } diff --git a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProviderFactory.java index 20c887dbf2..86af8891c4 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProviderFactory.java +++ b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProviderFactory.java @@ -23,6 +23,7 @@ import org.infinispan.persistence.remote.RemoteStore; import org.jboss.logging.Logger; import org.keycloak.Config; import org.keycloak.cluster.ClusterProvider; +import org.keycloak.common.Profile; import org.keycloak.common.util.Environment; import org.keycloak.common.util.Time; import org.keycloak.connections.infinispan.InfinispanConnectionProvider; @@ -104,6 +105,9 @@ public class InfinispanUserSessionProviderFactory implements UserSessionProvider public void init(Config.Scope config) { this.config = config; preloadOfflineSessionsFromDatabase = config.getBoolean("preloadOfflineSessionsFromDatabase", false); + if (preloadOfflineSessionsFromDatabase && !Profile.isFeatureEnabled(Profile.Feature.OFFLINE_SESSION_PRELOADING)) { + throw new RuntimeException("The deprecated offline session preloading feature is disabled in this configuration. Read the migration guide to learn more."); + } } @Override diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt index 73f2647603..54cc7a7fb5 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt @@ -50,17 +50,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. HTTP(S): diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt index d65f32a7ad..d0e5d1a3c7 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt @@ -50,17 +50,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. HTTP(S): diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt index 6a02a2d467..b07b5188b4 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt @@ -61,17 +61,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Config: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt index 6a02a2d467..b07b5188b4 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt @@ -61,17 +61,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Config: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt index 09d8d50d78..583a0739c9 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt @@ -61,17 +61,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Config: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt index 09d8d50d78..583a0739c9 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt @@ -61,17 +61,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Config: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt index 52469b9021..97051755d8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt @@ -77,17 +77,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Hostname: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt index 52469b9021..97051755d8 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt @@ -77,17 +77,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Hostname: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt index f69767145b..03530cad2c 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt @@ -78,17 +78,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Hostname: diff --git a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt index f69767145b..03530cad2c 100644 --- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt +++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt @@ -78,17 +78,18 @@ Feature: admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], impersonation[:v1], js-adapter[:v1], kerberos - [:v1], linkedin-oauth[:v1], multi-site[:v1], par[:v1], preview, - recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], - token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]. + [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[: + v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], + step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], + update-email[:v1], web-authn[:v1]. --features-disabled Disables a set of one or more features. Possible values are: account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, - linkedin-oauth, multi-site, par, preview, recovery-codes, scripts, - step-up-authentication, token-exchange, transient-users, update-email, - web-authn. + linkedin-oauth, multi-site, offline-session-preloading, par, preview, + recovery-codes, scripts, step-up-authentication, token-exchange, + transient-users, update-email, web-authn. Hostname: diff --git a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java index ea8be79120..dbde310353 100755 --- a/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java +++ b/server-spi/src/main/java/org/keycloak/models/UserSessionProvider.java @@ -175,6 +175,14 @@ public interface UserSessionProvider extends Provider { */ Stream getOfflineUserSessionsStream(RealmModel realm, UserModel user); + /** + * Search user sessions by the broker session ID. + * @deprecated + * Instead of this method, use {@link #getOfflineUserSessionByBrokerUserIdStream(RealmModel, String)} to first get + * the sessions of a user, and then filter by the broker session ID as needed. + * + */ + @Deprecated UserSessionModel getOfflineUserSessionByBrokerSessionId(RealmModel realm, String brokerSessionId); /** diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java index 02d7f7e938..739c4f70fe 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java @@ -23,6 +23,7 @@ import static org.keycloak.services.resources.LoginActionsService.SESSION_CODE; import org.jboss.logging.Logger; import org.jboss.resteasy.reactive.NoCache; +import org.keycloak.common.Profile; import org.keycloak.http.HttpRequest; import org.keycloak.Config; import org.keycloak.OAuth2Constants; @@ -128,6 +129,9 @@ public class LogoutEndpoint { this.event = event; this.providerConfig = providerConfig; this.offlineSessionsLazyLoadingEnabled = !Config.scope("userSessions").scope("infinispan").getBoolean("preloadOfflineSessionsFromDatabase", false); + if (!this.offlineSessionsLazyLoadingEnabled && !Profile.isFeatureEnabled(Profile.Feature.OFFLINE_SESSION_PRELOADING)) { + throw new RuntimeException("The deprecated offline session preloading feature is disabled in this configuration. Read the migration guide to learn more."); + } this.request = session.getContext().getHttpRequest(); this.headers = session.getContext().getRequestHeaders(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml index 18269b3fa1..a872b16c1e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml @@ -419,7 +419,7 @@ "keycloak.connectionsInfinispan.remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort:11222}", "keycloak.connectionsInfinispan.remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:true}", "keycloak.connectionsInfinispan.hotrodProtocolVersion": "${keycloak.connectionsInfinispan.hotrodProtocolVersion}", - "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:true}", + "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:false}", "keycloak.connectionsJpa.url": "${keycloak.connectionsJpa.url.crossdc:jdbc:h2:mem:test-dc-shared}", "keycloak.connectionsJpa.driver": "${keycloak.connectionsJpa.driver.crossdc:org.h2.Driver}", "keycloak.connectionsJpa.driverDialect": "${keycloak.connectionsJpa.driverDialect.crossdc:}" @@ -446,7 +446,7 @@ "keycloak.connectionsInfinispan.remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort:11222}", "keycloak.connectionsInfinispan.remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:true}", "keycloak.connectionsInfinispan.hotrodProtocolVersion": "${keycloak.connectionsInfinispan.hotrodProtocolVersion}", - "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:true}", + "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:false}", "keycloak.connectionsJpa.url": "${keycloak.connectionsJpa.url.crossdc:jdbc:h2:mem:test-dc-shared}", "keycloak.connectionsJpa.driver": "${keycloak.connectionsJpa.driver.crossdc:org.h2.Driver}", "keycloak.connectionsJpa.driverDialect": "${keycloak.connectionsJpa.driverDialect.crossdc:}" @@ -474,7 +474,7 @@ "keycloak.connectionsInfinispan.remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort.2:11222}", "keycloak.connectionsInfinispan.remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:true}", "keycloak.connectionsInfinispan.hotrodProtocolVersion": "${keycloak.connectionsInfinispan.hotrodProtocolVersion}", - "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:true}", + "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:false}", "keycloak.connectionsJpa.url": "${keycloak.connectionsJpa.url.crossdc:jdbc:h2:mem:test-dc-shared}", "keycloak.connectionsJpa.driver": "${keycloak.connectionsJpa.driver.crossdc:org.h2.Driver}", "keycloak.connectionsJpa.driverDialect": "${keycloak.connectionsJpa.driverDialect.crossdc:}" @@ -501,7 +501,7 @@ "keycloak.connectionsInfinispan.remoteStorePort": "${keycloak.connectionsInfinispan.remoteStorePort.2:11222}", "keycloak.connectionsInfinispan.remoteStoreEnabled": "${keycloak.connectionsInfinispan.remoteStoreEnabled:true}", "keycloak.connectionsInfinispan.hotrodProtocolVersion": "${keycloak.connectionsInfinispan.hotrodProtocolVersion}", - "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:true}", + "keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase": "${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase:false}", "keycloak.connectionsJpa.url": "${keycloak.connectionsJpa.url.crossdc:jdbc:h2:mem:test-dc-shared}", "keycloak.connectionsJpa.driver": "${keycloak.connectionsJpa.driver.crossdc:org.h2.Driver}", "keycloak.connectionsJpa.driverDialect": "${keycloak.connectionsJpa.driverDialect.crossdc:}" diff --git a/testsuite/model/pom.xml b/testsuite/model/pom.xml index 184b69270a..e53eaea46b 100644 --- a/testsuite/model/pom.xml +++ b/testsuite/model/pom.xml @@ -30,6 +30,7 @@ file:${project.build.directory}/dependency/log4j.properties true false + disabled @@ -160,6 +161,7 @@ ${keycloak.connectionsJpa.url} file:${project.build.directory}/test-classes/log4j.properties ${keycloak.userSessions.infinispan.preloadOfflineSessionsFromDatabase} + ${keycloak.profile.feature.offline_session_preloading} org.jboss.logmanager.LogManager log4j ${infinispan.version} @@ -226,6 +228,7 @@ legacy-jpa+cross-dc-infinispan-offline-sessions-preloading CrossDCInfinispan,LegacyJpa + enabled true @@ -234,6 +237,7 @@ legacy-jpa+infinispan-offline-sessions-preloading Infinispan,LegacyJpa + enabled true