Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

Hi,
we migrated to Keycloak 26.2.4 and we get quite frequently (at least once a day for 1500 login attempts) the following error ERROR: duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\"

Note that we have 2 keycloak instances targeting the same DB but when the error occur there is no switching from 1 server to another (all the logs are from the same instance).

The DB is postgresql 15.10. The KC_CACHE is set to ispn and KC_CACHE_STACK to jdbc-ping.

I tried to reproduce manually and find some patterns but could not.

Note that the error occurs on a realm where all the clients are SAML clients from other realms. The login flow just redirects to an external IDP.

Any idea what it could be ?

Here are the relevant logs
``keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.882084464Z","sequence":10854,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"DEBUG","message":"type=\"LOGIN\", realmId=\"bu-id-broker-stg\", realmName=\"bu-id-broker-stg\", clientId=\"https://idb.anonymized.dummy/realms/myrealm\", userId=\"dc2768ec-c117-44fd-bc48-bf1d6f4348fb\", sessionId=\"c40fb9ca-77fa-470a-b568-3faa73f4308b\", ipAddress=\"147.161.181.93\", identity_provider=\"external-idp\", identity_provider_broker_session_id=\"external-idp.W7eTaDz6LXUJyYvmZNDfO0jSNiA=YEj25A==\", redirect_uri=\"https://idb.anonymized.dummy/realms/myrealm/broker/sso-via-bu-idp/endpoint\", consent=\"no_consent_required\", identity_provider_identity=\"myuniqueid\", code_id=\"c40fb9ca-77fa-470a-b568-3faa73f4308b\", username=\"me@anonymized.com\", authSessionParentId=\"c40fb9ca-77fa-470a-b568-3faa73f4308b\", authSessionTabId=\"jefMdwKZha8\"","threadName":"executor-thread-26","threadId":96,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1}
keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.913635582Z","sequence":10857,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker","level":"WARN","message":"Running single changes in iteration 2 for 1 entries","threadName":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","threadId":42,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1}
keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.930590244Z","sequence":10859,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.services.error.KeycloakErrorHandler","level":"ERROR","message":"Uncaught server error","threadName":"executor-thread-26","threadId":96,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1,"exception":{"refId":1,"exceptionType":"java.lang.RuntimeException","message":"unable to complete the session updates","frames":[

{"class":"org.keycloak.models.sessions.infinispan.changes.JpaChangesPerformer","method":"applyChanges","line":112}

,

{"class":"java.lang.Iterable","method":"forEach","line":75}

,

{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsChangelogBasedTransaction","method":"commitImpl","line":222}

,

{"class":"org.keycloak.models.AbstractKeycloakTransaction","method":"commit","line":46}

,

{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"lambda$commitWithTracing$0","line":169}

,

{"class":"org.keycloak.tracing.NoopTracingProvider","method":"trace","line":59}

,

{"class":"org.keycloak.tracing.NoopTracingProvider","method":"trace","line":69}

,

{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"commitWithTracing","line":168}

,

{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"commit","line":146}

,

{"class":"org.keycloak.services.DefaultKeycloakSession","method":"closeTransactionManager","line":396}

,

{"class":"org.keycloak.services.DefaultKeycloakSession","method":"close","line":361}

,

{"class":"org.keycloak.models.KeycloakBeanProducer_ProducerMethod_getKeycloakSession_XoSEUTXOsE3bpqXlGMAykCiECUM_ClientProxy","method":"close"}

...

{"class":"org.keycloak.models.utils.KeycloakModelUtils","method":"runJobInTransaction","line":330}

,

{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","method":"process","line":97}

,

{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","method":"run","line":76}

],"causedBy":{"exception":{"refId":3,"exceptionType":"org.postgresql.util.PSQLException","message":"ERROR: duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\"\n Detail: Key (user_session_id, offline_flag)=(c40fb9ca-77fa-470a-b568-3faa73f4308b, 0) already exists``

Version

26.2.4

Regression

[x] The issue is a regression

Expected behavior

No login error.

Actual behavior

We get random 500 errors while authenticating.

How to Reproduce?

I am unable to.

Anything else?

No response