KEYCLOAK-16616 authenticationSessions map in RootAuthenticationSessionEntity grows unboundedly
This commit is contained in:
Martin Kanis
Hynek Mlnařík
parent
485e802ad8
commit
cbe50e046b
2 changed files with 38 additions and 0 deletions
|
|
@ -128,6 +128,7 @@ include::topics/threat/open-redirect.adoc[]
|
|||
include::topics/threat/password-db-compromised.adoc[]
|
||||
include::topics/threat/scope.adoc[]
|
||||
include::topics/threat/audience-limit.adoc[]
|
||||
include::topics/threat/auth-sessions-limit.adoc[]
|
||||
include::topics/threat/sql.adoc[]
|
||||
include::topics/admin-cli.adoc[]
|
||||
|
||||
|
|
|
|||
37
server_admin/topics/threat/auth-sessions-limit.adoc
Normal file
37
server_admin/topics/threat/auth-sessions-limit.adoc
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
=== Limit Authentication Sessions
|
||||
|
||||
{project_name} creates an authentication session for each authentication request within a realm. This session is internally represented by `RootAuthenticationSession`. Each `RootAuthenticationSession` can have multiple authentication sessions for a given client. In a browser authentication flow, the browser session translates to `RootAuthenticationSession` while browser tabs translate to a collection of authentication sessions within the `RootAuthenticationSession`.
|
||||
|
||||
NOTE: This section describes deployments that use the {jdgserver_name} provider for authentication sessions.
|
||||
|
||||
Higher memory usage and a network overload in a cluster may occur for deployments where there are many active `RootAuthenticationSession` with a lot of authentication sessions.
|
||||
|
||||
There is a possibility to mitigate the aforementioned threats. The maximum allowed number of `RootAuthenticationSession` should be addressed by limiting the request rate per time on the proxy or load balancer in front of {project_name}. The maximum number of authentication sessions per `RootAuthenticationSession` can be configured in `authenticationSessions` SPI by setting property `authSessionsLimit`. The default value is set to 300 authentication sessions per a `RootAuthenticationSession`. When this limit is reached, the oldest authentication session will be removed after a new authentication session request.
|
||||
|
||||
The following example shows how to limit the number of active authentication sessions per a `RootAuthenticationSession` to 100.
|
||||
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
|
||||
...
|
||||
<spi name="authenticationSessions">
|
||||
<default-provider>infinispan</default-provider>
|
||||
<provider name="infinispan" enabled="true">
|
||||
<properties>
|
||||
<property name="authSessionsLimit" value="100"/>
|
||||
</properties>
|
||||
</provider>
|
||||
</spi>
|
||||
...
|
||||
</subsystem>
|
||||
----
|
||||
|
||||
Equivalent configuration using CLI commands:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
/subsystem=keycloak-server/spi=authenticationSessions:add(default-provider=infinispan)
|
||||
/subsystem=keycloak-server/spi=authenticationSessions/provider=infinispan:add(properties={authSessionsLimit => "100"},enabled=true)
|
||||
----
|
||||
|
||||
Loading…
Reference in a new issue