I noticed that sessions that pass the SSO session idle and SSO session max aren't immediately deleted. They seem to be invalidated and therefor useless, but they are not getting immediately removed. I can view them in the sessions tab of the admin console.
Since I can't find an explanation for this, or how this mechanism works internally (didn't look into the code), I was wondering, if anyone could elaborate on what is going on? Is everything working as it should?
Keycloak relies heavily on Infinispan for caching. Many types of entities have dedicated caches configured directly to them, and sessions are not excluded.
When starting Keycloak, you specifiy a configuration file/operation mode ( via the -c parameter). For example, when I run my keycloak via docker I get the following command line:
java -D[Standalone] -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED -Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log -Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties -jar /opt/jboss/keycloak/jboss-modules.jar -mp /opt/jboss/keycloak/modules org.jboss.as.standalone -Djboss.home.dir=/opt/jboss/keycloak -Djboss.server.base.dir=/opt/jboss/keycloak/standalone -Djboss.bind.address=172.19.0.3 -Djboss.bind.address.private=172.19.0.3 -c=standalone-ha.xml -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
you can see -D[Standalone] (for the operation mode) and -c=standalone-ha.xml, which points to the configuration XML file.
In it, you can see a section in the likes of:
<subsystem xmlns="urn:jboss:domain:infinispan:11.0">
<cache-container name="keycloak" module="org.keycloak.keycloak-model-infinispan">
<local-cache name="realms">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="users">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="sessions"/>
<local-cache name="authenticationSessions"/>
<local-cache name="offlineSessions"/>
<local-cache name="clientSessions"/>
<local-cache name="offlineClientSessions"/>
<local-cache name="loginFailures"/>
<local-cache name="work"/>
<local-cache name="authorization">
<heap-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<heap-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<local-cache name="actionTokens">
<heap-memory size="-1"/>
<expiration interval="300000" max-idle="-1"/>
</local-cache>
</cache-container>
...
...
...
</subsystem>
You can try and tweak the various session caches expiration/lifespan attributes.
Have a look at Cache-Configuration section of the manual, and also on the xmlns infinispan-config specification