We realized that keycloak clears the expired sessions from cache only on restart. This has the effect, that sooner or later we run into an out-of-memory situation.
Is there a way to configure clearing the cache on a daily?
According to the documentation,
"Expired sessions are cleared internally by Keycloak itself to avoid growing the size of these caches without limit. "
But this does not happen, so I assume we may configure something wrong?
Here are some parts of the realm configuration (I’m glad to provide more information):
With that configuration I would expect the sessions to be cleared from cache after 30 days
{
“notBefore”: 0,
“defaultSignatureAlgorithm”: “RS256”,
“revokeRefreshToken”: false,
“refreshTokenMaxReuse”: 0,
“accessTokenLifespan”: 300,
“accessTokenLifespanForImplicitFlow”: 900,
“ssoSessionIdleTimeout”: 2592000,
“ssoSessionMaxLifespan”: 131400000,
“ssoSessionIdleTimeoutRememberMe”: 0,
“ssoSessionMaxLifespanRememberMe”: 0,
“offlineSessionIdleTimeout”: 2592000,
“offlineSessionMaxLifespanEnabled”: false,
“offlineSessionMaxLifespan”: 5184000,
“clientSessionIdleTimeout”: 0,
“clientSessionMaxLifespan”: 0,
“clientOfflineSessionIdleTimeout”: 0,
“clientOfflineSessionMaxLifespan”: 0,
“accessCodeLifespan”: 60,
“accessCodeLifespanUserAction”: 300,
“accessCodeLifespanLogin”: 1800,
“actionTokenGeneratedByAdminLifespan”: 43200,
“actionTokenGeneratedByUserLifespan”: 300,
“oauth2DeviceCodeLifespan”: 600,
“oauth2DevicePollingInterval”: 5,
“enabled”: true,
“sslRequired”: “external”,
“registrationAllowed”: false,
“registrationEmailAsUsername”: false,
“rememberMe”: true,
“verifyEmail”: false,
“loginWithEmailAllowed”: false,
“duplicateEmailsAllowed”: true,
“resetPasswordAllowed”: true,
“editUsernameAllowed”: true,
“bruteForceProtected”: true,
“permanentLockout”: false,
“maxFailureWaitSeconds”: 900,
“minimumQuickLoginWaitSeconds”: 60,
“waitIncrementSeconds”: 60,
“quickLoginCheckMilliSeconds”: 1000,
“maxDeltaTimeSeconds”: 43200,
and the client attributes:
“attributes”: {
“access.token.lifespan”: “60”,
“saml.force.post.binding”: “false”,
“saml.multivalued.roles”: “false”,
“oauth2.device.authorization.grant.enabled”: “false”,
“backchannel.logout.revoke.offline.tokens”: “false”,
“saml.server.signature.keyinfo.ext”: “false”,
“use.refresh.tokens”: “true”,
“oidc.ciba.grant.enabled”: “false”,
“backchannel.logout.session.required”: “true”,
“client_credentials.use_refresh_token”: “false”,
“client.offline.session.idle.timeout”: “900”,
“require.pushed.authorization.requests”: “false”,
“saml.client.signature”: “false”,
“client.offline.session.max.lifespan”: “900”,
“client.session.max.lifespan”: “900”,
“client.session.idle.timeout”: “900”,
“id.token.as.detached.signature”: “false”,
“saml.assertion.signature”: “false”,
“saml.encrypt”: “false”,
“saml.server.signature”: “false”,
“exclude.session.state.from.auth.response”: “false”,
“saml.artifact.binding”: “false”,
“saml_force_name_id_format”: “false”,
“tls.client.certificate.bound.access.tokens”: “false”,
“saml.authnstatement”: “false”,
“display.on.consent.screen”: “false”,
“saml.onetimeuse.condition”: “false”
},