Does anyone have experience with running Keycloak that supports a large number of concurrent active sessions?
We recently have a business requirement of extending the SSO Session Idle timeout from 1 hour to 12 hours. Because this is such a big jump for us, we are taking an approach of slowly extending the timeout to 2 hours first, and then 4, 6, and so forth. We didn’t see any issue when we extended the timeout to 2 hours. But when we got to 4 hours (which resulted in a little more than 1 million active sessions), we saw a significant increase in Keycloak CPU usage, jumping from ~20% to ~70%.
We are currently running a cluster of three Keycloak instances and the Keycloak version is v19.
Can anyone think of some areas we should look into to try to bring down the CPU usage? Or does anyone know if Keycloak has a known issue with a large number of active sessions?
I’m sure this isn’t easy to hear, but you need to upgrade. Keycloak 19 is vulnerable to many CVEs and is hard to support at this point because there have been so many core features changed.
You are missing the major upgrade to “persistent user sessions” in the current versions of Keycloak, which offloads user sessions to the database. This has several effects, including not losing sessions when restarting Keycloak, and limiting the memory required to run large numbers of sessions.
Regarding your specific question, there shouldn’t be anything specific that causes additional CPU because you have a larger number of active user sessions. In general, the big CPU consumers in Keycloak are password hashing and signing tokens. You may have a larger number of refreshes, which is causing additional CPU load, but a big jump sounds like something else is going on. There’s always the Infinispan variable that could be malfunctioning in some way at that scale. We’ve operated large clusters at this scale of concurrent user sessions, and there are all sorts of idiopathic problems we get with Infinispan.
My two cents is that you should suffer the upgrade before you start asking for help on this issue, as even the experts don’t really remember what Keycloak’s problems at X version were.
Thanks for the quick and insightful response! You are absolutely right about the upgrade. We are currently actively working on upgrading to v24, and then to v26 at a later date, mainly because we don’t want to introduce too many changes at once.