I implemented custom Authenticator, that checks user sessions by username and when number of sessions more than 0, trying to remove sessions using userSessionProvider.removeUserSessions.
The question is how to lock reading and removing sessions in one transaction to prevent race conditions?
I found lockUserSessionsForModification method of LockObjectsForModification class in Keycloak source code, but looking into implementation of this method, i don’t see any locking mechanism. Can i use this method for locking or how can i do that in other way?
I can‘t answer your question.
But Keycloak alteady has an embedded session restriction mechanism ootb. Is there a reason why you don‘t use this?
I have a custom logic, that depends on user attribute, user can have several sessions or only 1. So, in case of 1 session, we need to remove all sessions at the end of custom flow and then new session will be created. I don’t if mechanism, you mentioned, can resolve my problem.
Also, probably, you can help to understand using of method lockUserSessionsForModification
Exampple:
userSession = lockUserSessionsForModification(session, () → session.sessions().getUserSession(realm, authSession.getParentSession().getId()));