From bce56fe5c044a3a91af644a58c49ed8304b2f4f1 Mon Sep 17 00:00:00 2001 From: mposolda Date: Thu, 8 Oct 2020 16:05:50 +0200 Subject: [PATCH] KEYCLOAK-15770 Skip creating session for docker protocol authentication --- server_admin/topics.adoc | 1 + server_admin/topics/sessions/transient.adoc | 11 +++++++++++ server_admin/topics/sso-protocols/docker.adoc | 4 ++++ upgrading/topics/keycloak/changes.adoc | 6 ++++++ 4 files changed, 22 insertions(+) create mode 100644 server_admin/topics/sessions/transient.adoc diff --git a/server_admin/topics.adoc b/server_admin/topics.adoc index cd94e3c544..0a23ac5611 100644 --- a/server_admin/topics.adoc +++ b/server_admin/topics.adoc @@ -93,6 +93,7 @@ include::topics/sessions/administering.adoc[] include::topics/sessions/revocation.adoc[] include::topics/sessions/timeouts.adoc[] include::topics/sessions/offline.adoc[] +include::topics/sessions/transient.adoc[] include::topics/user-federation.adoc[] include::topics/user-federation/ldap.adoc[] include::topics/user-federation/sssd.adoc[] diff --git a/server_admin/topics/sessions/transient.adoc b/server_admin/topics/sessions/transient.adoc new file mode 100644 index 0000000000..36644b494e --- /dev/null +++ b/server_admin/topics/sessions/transient.adoc @@ -0,0 +1,11 @@ +[[_transient-session]] + +=== Transient sessions + +{project_name} has concept of transient sessions. When transient sessions are used, there is no real user session created after successful authentication. +Only a temporary transient session is created for the scope of the current request that successfully authenticated the user. This transient session allows {project_name} +to run <<_protocol-mappers, protocol mappers>> after the authentication. + +When transient sessions are used, the client application has no way to refresh or introspect the token or check if a specific session is valid. +In some situations, these actions are not needed, so you can avoid the additional overhead for persistence of user sessions. +This would mean the save of performance, memory and network communication (in case of cluster and cross-datacenter environments). diff --git a/server_admin/topics/sso-protocols/docker.adoc b/server_admin/topics/sso-protocols/docker.adoc index 2399458b6f..b86823a04d 100644 --- a/server_admin/topics/sso-protocols/docker.adoc +++ b/server_admin/topics/sso-protocols/docker.adoc @@ -17,6 +17,10 @@ NOTE: This flow assumes that a `docker login` command has already been performed * The Docker client will get the bearer token from the JSON response and use it in the Authorization header to request the protected resource. * When the Docker registry receives the new request for the protected resource with the token from the {project_name} server, the registry validates the token and grants access to the requested resource (if appropriate). +NOTE: No user session is created on the {project_name} side after successful authentication with the Docker protocol. The Docker protocol is +not used in case of browser SSO session and it does not have a way to refresh token or ask {project_name} server if a particular token/session +is still valid. So creating the session is unnecessary overhead for this protocol. For more details, see the <<_transient-session, transient session>> section. + ==== {project_name} Docker Registry v2 Authentication Server URI Endpoints {project_name} really only has one endpoint for all Docker auth v2 requests. diff --git a/upgrading/topics/keycloak/changes.adoc b/upgrading/topics/keycloak/changes.adoc index 7e794aab9e..a8c9adaf2b 100644 --- a/upgrading/topics/keycloak/changes.adoc +++ b/upgrading/topics/keycloak/changes.adoc @@ -1,5 +1,11 @@ == Migration Changes +=== Migrating to 12.0.0 + +==== Skip creation of user session for the Docker protocol authentication + +No user session is created after successful authentication with the Docker protocol. For details, please refer to the link:{adminguide_link}#_docker[{adminguide_name}]. + === Migrating to 11.0.0 ==== Upgrade to Wildfly 20