Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 26.2.4
Affects Version/s: None
Component/s: team/sre
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
RHBK-2913
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

infinispan

Describe the bug

Hi, not very often we find an error in database table app_keycloak.OFFLINE_CLIENT_SESSION.
Full error is
Batch entry 0 insert into app_keycloak.OFFLINE_CLIENT_SESSION (DATA,TIMESTAMP,VERSION,CLIENT_ID,CLIENT_STORAGE_PROVIDER,EXTERNAL_CLIENT_ID,OFFLINE_FLAG,USER_SESSION_ID) values ((.........)) was aborted: ERROR: duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3"

I think the problem is that multiple instances of my Keycloak want to write offline_session to the database. Those who try to write later get an error from the database that such a session already exists. Which instance should write to the database should be controlled by the Infinispan cache. Which works correctly most of the time, because this error is only occasional.

Our Keycloak instances run in AKS. We use dns.DNS_PING for discovery with headless-service.

  - KC_CACHE_STACK=kubernetes
  - KC_CACHE=ispn
  - KEYCLOAK_STATISTICS=db,http,jgroups
  - JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING
  - JGROUPS_TRANSPORT_STACK=tcp
  - JGROUPS_DISCOVERY_PROPERTIES=dns_query=keycloak-headless

apiVersion: v1
kind: Service
metadata:
  name: keycloak-headless
spec:
  publishNotReadyAddresses: true
  clusterIP: None
  ports:

name: ping
port: 7800
targetPort: 7800
protocol: TCP
```
  selector:
```
app: ew-keycloak

I try adding mode=SYNC and changing the number of owners in cache-ispn.xml for distributed-cache of offlineSessions, but the error still prevails.

In the logs of Jgroup I can see that pods successfully see each other.

Version

26.1.1

Regression

[ ] The issue is a regression

Expected behavior

Always only one instance of Keycloak will write offline sessions, so there will be no conflict in the database.

Actual behavior

Multiple instances of Keycloak try to write offline_session and only the first one is successful others end with error on duplicate keys.

How to Reproduce?

Run Keycloak in AKS cluster with more than one instance.
Use DNS_PING for Jgroup discovery.
Obtain an offline session.

Anything else?

No response

links to

Link to original GitHub issue

Assignee:: Unassigned

Reporter:: Pavel Vlha

Team:: Keycloak SRE

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/05/13 1:52 PM

Updated:: 2025/05/13 4:05 PM

Resolved:: 2025/05/13 1:53 PM

Details

Description

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates