Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
storage
Describe the bug
We are using user federation with a custom implementation via Keycloak User Storage SPI, this SPI calls an external REST API, these are the Keycloak interfaces the SPI is using:
org.keycloak.storage.UserStorageProviderorg.keycloak.storage.user.UserLookupProviderorg.keycloak.storage.user.UserQueryProviderorg.keycloak.credential.CredentialInputValidatororg.keycloak.credential.CredentialInputUpdaterorg.keycloak.storage.user.UserRegistrationProvider
We noticed requests to POST /realms/{realm}/protocol/{protocol}/token result in multiple calls to org.keycloak.storage.UserStorageManager.getUserById, which seemed strange since we have the following cache configured:
<local-cache name="users" statistics="true">
<encoding>
<key media-type="application/x-java-object"/>
<value media-type="application/x-java-object"/>
</encoding>
<memory storage="HEAP" max-count="10000" />
<expiration lifespan="1800000"/>
</local-cache>After some digging, we found what we think is causing this behavior, a change introduced in this commit b4b3527. To be more precise, the changes in this file b4b3527#diff-2df3739f3d8839fe9431e4147b70a2e5b65d0da63810b090dd30205d11715cc1, which explicitly fetch the user from the external storage, instead of using the cached value, multiple times.
This defeats the purpose of the users cache and is resulting in increased response times to get a token, this also happens when refreshing a token or when hitting userinfo.
Version
25.0.4
Regression
- The issue is a regression
Expected behavior
org.keycloak.storage.UserStorageManager.getUserById should be called once at most, per request to POST /realms/{realm}/protocol/{protocol}/token, the users cache should be used.
Actual behavior
org.keycloak.storage.UserStorageManager.getUserById is being called 9 times in our current implementation, the number of times can vary depending on the specific scopes/attributes/roles/groups being included in the token.
How to Reproduce?
- Create a custom federated store via https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi.
- Call
POST /realms/{realm}/protocol/{protocol}/token.
Anything else?
No response