From 78efd18cca996b34aeb85ac52d58c02314533069 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 25 Nov 2016 22:18:52 +0100 Subject: [PATCH] KEYCLOAK-3825 Update about cache docs --- topics/clients/oidc/confidential.adoc | 3 +++ topics/identity-broker/oidc.adoc | 3 +++ topics/realms/cache.adoc | 5 +++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/topics/clients/oidc/confidential.adoc b/topics/clients/oidc/confidential.adoc index 198328a6c2..8783a5433f 100644 --- a/topics/clients/oidc/confidential.adoc +++ b/topics/clients/oidc/confidential.adoc @@ -45,4 +45,7 @@ client changes it's keys, {{book.project.name}} will automatically download them If you use client secured by {{book.project.name}} adapter, you can configure the JWKS URL like https://myhost.com/myapp/k_jwks assuming that https://myhost.com/myapp is the root URL of your client application. See {{book.developerguide.link}}[{{book.developerguide.name}}] for additional details. +WARNING: For the performance purposes, {{book.project.name}} caches the public keys of the OIDC clients. If you think that private key of your client +was compromised, it is obviously good to update your keys, but it's also good to clear the keys cache. See <> +section for more details. diff --git a/topics/identity-broker/oidc.adoc b/topics/identity-broker/oidc.adoc index b89d0ab7f1..f7a4eec0be 100644 --- a/topics/identity-broker/oidc.adoc +++ b/topics/identity-broker/oidc.adoc @@ -53,6 +53,9 @@ You must define the OpenID Connection configuration options as well. They basic |Validate Signatures |Another optional switch. This is to specify if {{book.project.name}} will verify the signatures on the external ID Token signed by this Identity provider. If this is on, the {{book.project.name}} will need to know the public key of the external OIDC identity provider. See below for how to setup it. +WARNING: For the performance purposes, {{book.project.name}} caches the public key of the external OIDC identity provider. If you think that private key of your Identity provider +was compromised, it is obviously good to update your keys, but it's also good to clear the keys cache. See +<> section for more details. |Use JWKS URL |Applicable just `Validate Signatures` is on. If the switch is on, then identity provider public keys will be downloaded from given JWKS URL. diff --git a/topics/realms/cache.adoc b/topics/realms/cache.adoc index 31096ba147..ad01457215 100644 --- a/topics/realms/cache.adoc +++ b/topics/realms/cache.adoc @@ -1,9 +1,10 @@ - +[[_clear-cache]] === Clearing Server Caches {{book.project.name}} will cache everything it can in memory within the limits of your JVM and/or the limits you've configured it for. If the {{book.project.name}} database is modified by a third party (i.e. a DBA) outside the scope of the server's REST APIs or Admin Console -there's a chance parts of the in-memory cache may be stale. You can clear the realm and user caches from the Admin Console by going +there's a chance parts of the in-memory cache may be stale. You can clear the realm cache, user cache or cache of external public keys (Public keys of + external clients or Identity providers, which {{book.project.name}} usually uses for verify signatures of particular external entity) from the Admin Console by going to the `Realm Settings` left menu item and the `Cache` tab. .Keys tab