diff --git a/server_admin/topics.adoc b/server_admin/topics.adoc index e650a8c0e6..b5147feb3a 100644 --- a/server_admin/topics.adoc +++ b/server_admin/topics.adoc @@ -128,6 +128,7 @@ include::topics/threat/open-redirect.adoc[] include::topics/threat/password-db-compromised.adoc[] include::topics/threat/scope.adoc[] include::topics/threat/audience-limit.adoc[] +include::topics/threat/auth-sessions-limit.adoc[] include::topics/threat/sql.adoc[] include::topics/admin-cli.adoc[] diff --git a/server_admin/topics/threat/auth-sessions-limit.adoc b/server_admin/topics/threat/auth-sessions-limit.adoc new file mode 100644 index 0000000000..19731162ea --- /dev/null +++ b/server_admin/topics/threat/auth-sessions-limit.adoc @@ -0,0 +1,37 @@ +=== Limit Authentication Sessions + +{project_name} creates an authentication session for each authentication request within a realm. This session is internally represented by `RootAuthenticationSession`. Each `RootAuthenticationSession` can have multiple authentication sessions for a given client. In a browser authentication flow, the browser session translates to `RootAuthenticationSession` while browser tabs translate to a collection of authentication sessions within the `RootAuthenticationSession`. + +NOTE: This section describes deployments that use the {jdgserver_name} provider for authentication sessions. + +Higher memory usage and a network overload in a cluster may occur for deployments where there are many active `RootAuthenticationSession` with a lot of authentication sessions. + +There is a possibility to mitigate the aforementioned threats. The maximum allowed number of `RootAuthenticationSession` should be addressed by limiting the request rate per time on the proxy or load balancer in front of {project_name}. The maximum number of authentication sessions per `RootAuthenticationSession` can be configured in `authenticationSessions` SPI by setting property `authSessionsLimit`. The default value is set to 300 authentication sessions per a `RootAuthenticationSession`. When this limit is reached, the oldest authentication session will be removed after a new authentication session request. + +The following example shows how to limit the number of active authentication sessions per a `RootAuthenticationSession` to 100. + + +[source,xml] +---- + + ... + + infinispan + + + + + + + ... + +---- + +Equivalent configuration using CLI commands: + +[source,bash] +---- +/subsystem=keycloak-server/spi=authenticationSessions:add(default-provider=infinispan) +/subsystem=keycloak-server/spi=authenticationSessions/provider=infinispan:add(properties={authSessionsLimit => "100"},enabled=true) +---- +