Rebased on current master

@martin-kanis Thanks or your suggestions. I'd prefer to leave the code as is for now, to keep the style in this class consistent.
A "streamification" should IMHO be applied afterwards in a holistic refactoring.

Btw. I think the JPA query result stream in org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider#loadUserSessions should also be wrapped in org.keycloak.utils.StreamsUtil#closing.

I'm fine with adding the javadoc comments to the new API.

Regarding tests, how can I test offline-sessions with a custom InfinispanUserSessionProviderFactory configuration? I could not find any examples that test offline-token support appart from OfflineTokenTest. Would it be enough to run the OfflineTokenTest with a custom InfinispanUserSessionProviderFactory configuration? Would that be enough?

@thomasdarimont Actually the streamification epic was finished by this commit which also covers the JpaUserSessionPersisterProvider.java class. For this reason, we need all new code where it makes sense, to be using Java streams.

@martin-kanis Thanks for the hint. I just rebased the PR to the current master and revised the Streams API usage as you suggested.

Do you have an idea how I could address the testing issues I mentioned above?

@thomasdarimont Actually the streamification epic was finished by this commit which also covers the JpaUserSessionPersisterProvider.java class. For this reason, we need all new code where it makes sense, to be using Java streams.

I also think "streamification" should not be a design principle, but used when (after testing and profiling) and where it makes sense.

I would say that loading data and blocking at boot time is by itself a broken design. And for this particular case, it has a huge impact on use cases using offline sessions.

We have quite a few workarounds already to overcome this problem (e.g.: sessionsPerSegment, DB indexes, not sure if documented) that works until a certain point. Oracle, for instance, has a serious limitation on how much you can set sessionsPerSegment.

IMO, the proposed changes provide a good balance for those facing the problem we are fixing while sacrificing some functionality that is not used or important. It should also help to pave the road for further improvements and in a proper fix that not necessarily impacts existing functionality.

Hello @stianst, @pedroigor, @martin-kanis,

Thanks a lot for the great discussion and useful feedback!

"Describe what the side-effects are."

1. With the changes from this PR and preloadOfflineSessionsFromDatabase=true (current default)
   a) Keycloak will pre-load offline sessions at startup as usual - which might block the server start for a large number of offline-sessions for multiple minutes
   b) The number of offline-sessions per client in the admin-console is based on the offline-user session count in memory
   c) (new) If an offline user session is not found in memory, a database lookup is performed - if successful the offline-session is imported into infinispan. This useful in Kubernetes rolling upgrade, which's prone to "loose" some offline-sessions due to incomplete infinispan cache synchronizations.
   d) Everything else (session listing in admin-console etc.) works as before
   e) Admin-Console / Manage / Session -> will show the number of Active Sessions from memory and number of Offline-sessions from memory

2. With the changes from this PR and preloadOfflineSessionsFromDatabase=false
   a) Keycloak will NOT pre-load offline sessions at startup -> user-session / client-session caches will be empty at (server/cluster) start
   b) The number of offline-sessions per client in the admin-console is based on the offline-user session count in the database
   c) If an offline user session is not found in memory, a database lookup is performed - if successful the offline-session is imported into infinispan. This is useful with a rolling upgrade in Kubernetes, which's prone to "loose" some offline-sessions due to incomplete infinispan cache synchronizations.
   d) The client session listing in the admin-console might not show all offline-sessions or even be empty if no offline session were loaded yet. As there might be hundreds of millions of offline sessions, it is IMHO not useful at all to be able to list all via the admin-console. The warning "Warning, this is a potentially expensive operation depending on the number of offline tokens." gives a hint at this as well.
   e) Admin-Console / Manage / Session -> will show the number of Active Sessions from memory and the number of Offline-sessions from the database

"If it's an option, it needs documenting"

I'd document this alongside the mentioned sessionsPerSegment. As I also couldn't find a section about this in the docs,
I'd recommend adding a section "Performance Tuning" to Server Installation and Configuration Guide.

@stianst This PR is an IMHO workaround that solves a current flaw in Keycloak's offline-session handling that affects a large number of Keycloak deployments. This helps to solve scalability problems for IMHO a large number of users today.

Some useful enhancements

• Offline user-sessions caches could be configured with expiration to remove unused cache items after some time to save memory
• A user search could improve the listing of offline-sessions for a client in the admin-console, by allowing explicit user lookups.

This is, of course, not a replacement for the mid-long term storage architecture redesign :)

@thomasdarimont Thanks for the update, that's very useful information. Main thing I'd want is that there is no limitations that prevents people from being able to use it. For the account console will it load offline sessions from the DB for the given user so the user can see offline sessions even though they haven't been pre-loaded yet? For the admin console if I look at sessions for a given user does it show them then?

Reminding myself how the sessions management looks like in the admin console there's options to logout sessions for a given user, or all sessions, not for an individual application. So as long as we can logout for a given user I think we're covered here as a "working workaround" ;)

@stianst thanks for the quick reply.

For the account console will it load offline sessions from the DB for the given user so the user can see offline sessions even though they haven't been pre-loaded yet?

Good catch. If the offline user-session pre-loading is disabled and the offline user-session is not loaded yet, then the "revoke grant" button is missing in the applications page of the account-console. The current implementation of the ApplicationsBean seems to load the offline-sessions only from the cache.
I think this should be changed to try a database lookup as well, in case the offline session was not found in the cache.
We could either import the offline session or just extract the metadata from the database, which might be the proper way if we say that only a token refresh request should trigger offline user-session loading.

For the admin console if I look at sessions for a given user does it show them then?

If the offline user-session is not loaded yet, then user/consents will not list the offline_access grant.
Solution could be the same as above, we could load only the from the database without importing the offline-session.

I give this a quick try now.

@stianst @pedroigor I just updated the PR with the changes to fix the issues mentioned by stian

• The application page in the (old) account-console now triggers offline user-session loading and shows the "revoke access" button.
• The consents listing of the user page in the admin-console now triggers offline user-session loading and shows the offline-access consent

I think the only caveat rest is that admin-console -> clients -> client -> Offline Access will only show offline-sessions that are loaded in memory. The (total) number of offline sessions will be the correct count of offline-sessions in the database.

Just rebased on current master

Hi @thomasdarimont, would you have time to move this PR forward?

Hi @thomasdarimont This PR has been inactive for almost two weeks. Will you be able to move this PR forward?

@hmlnarik yes, I have a few days vacation ahead and I'm going to use some of my time to work on this.

As I've been also involved in the user-profile / validation API discussion, I had to adjust some priorities ;-)

@hmlnarik I updated the indices and rebased the branch again.

Btw. did you see #7902? I think that and this PR would work well together.

There is also the idea of expiring offline session cache entries to keep memory consumption low mentioned here: #7902 (comment)

@thomasdarimont Apologies I did not respond. Thank you for the updates, the PR looks much better. Could you please have a look at the failures of GitHub actions? They are related to this PR.

Yup, #7902 looks interesting though I've not yet have a chance to go through it in detail.

@thomasdarimont We (me and @nigtrifork) have been experimenting with lazy loading of the offlineClientSessions as an extension of this PR. The idea was to avoid the synchonization issues mentionen in the discoussion in #7902 if the offline session caches are configured to expire.
Do you think this could be viable solution for basically keeping the offline sessions in db, and only use the caches to most recent sessions ?

@thomasdarimont I opened a new PR #8033 which includes this PR plus rebase to current master plus adds some model tests. Let us please know whether you wish pull those changes here or we can close this PR and proceed with #8033. Thank you.

@martin-kanis thanks for the update! I have no problem closing this PR and continue in the combined efforts in the new one.

Thank you @thomasdarimont and @martin-kanis. Closing this one in favor of #8033.