Nitpick: My personal preference is to name these variables clientSessionTimeToExpire and userSessionTimeToExpire. WDYT? This is just a nitpick and maybe it is just me... On the other hand, this code around timeouts is already non that trivial and anything, which would make it a bit easier to understand is good.

I am not hard on this if you and others have different opinion and not a blocker for this PR IMO. Just a though :-)

Done! I have changed to userSessionTimeToExpire and clientSessionTimeToExpiretoo.

Just a little comment here to understand better the new calculation. It fixes two different issues:

• The max life was using the timestamp and not the STARTED_AT of the client session, which is directly wrong. We were calculating wrong max life (it was more an idle timeout than a max life).
• Besides there is a second issue (non functional, just a memory issue) that client sessions can remain in memory more than the the user session. That's a waste of memory. Imagine a client session which is created just few seconds before than the user session expires, the user session will be removed but the client one (useless) remains in memory all the max-life of the client session. For this second problem the USER_SESSION_STARTED_AT_NOTE is needed.

Regards!

Same as above (but again, a nitpick...)

Done!

Just thinking loud, that if this method also has UserSessionModel (or entity) as an argument, it will allow to:

• avoid introducing USER_SESSION_STARTED_AT_NOTE (which is another thing saved in the infinispan cache)
• allow more proper computation of sessionMaxLifespan with something like int sessionMaxLifespan = userSession.isRememberMe() ? Math.max(realm.getSsoSessionMaxLifespan(), realm.getSsoSessionMaxLifespanRememberMe()) : realm.getSsoSessionMaxLifespan();

On the other hand, it seems that having userSession available here may be fair amount of refactoring (and still not 100% sure if it is doable...). Also problem with not-100% accurate sessionMaxLifespan was even before this PR... So rather not worth an effort, but we're keeping as is now? Was just thinking if someone feels we should try to go this way, but I am myself rather not very keen on that...;-)

Yeah! I also thought about getting the user session somehow. But I detected a big change (probably we would need the user session id in the authentication session) and I decided to follow contributors idea which seems to be easier.

yeah, agree. Thanks!

Hi, thanks @rmartinc for taking both changes in the fix. However, after I submitted my first PR I realized that to properly calculating the the lifespan we need to know if the user session has 'remember me' on or not, so apart from USER_SESSION_STARTED_AT_NOTE I added also note if it's remember me.
I got it @mposolda it's yet another thing to keep but in our specific case with remember me set to 180 days compared to couple hours without it, memory increase with these attribute is nothing with amount of sessions that are deleted thanks to proper calculation.

@pjbober If we also want to include the remember me then maybe it's better to directly store the user session id. I think it will need a big refactoring but it probably makes sense. @mposolda WDYT? (I suppose this will only be for the infinispan implementation.)

@rmartinc @pjbober Will it be possible to have "remember me" as another note on AuthenticatedClientSessionModel? The storing userSessionId instead on AuthenticatedClientSessionModel (instead of "Started at" and "remember me") works as well, but if it requires a big refactoring or additional lookup of userSession from infinispan, then my preference would be to rather stick with "Started at" and "remember me" notes.

This needs to be in AuthenticatedClientSessionModel, not AuthenticatedClientSessionEntity

OK! It's done now! I have also created the method getUserSessionStarted more or less the same to getStarted.

This effectively means four very slow calls to update realm parameters upon setting and another four upon resetting in the finally block. Please consider replacling all these calls in all methods affected in this PR with RealmAttributeUpdater, and removing the changes in RealmManager.

For an example usage, see

Yeah! Good point! Done in the added methods!

These methods belong to either AuthenticatedClientSessionModel (not AuthenticatedClientSessionEntity) or into an utility method.

I need to maintain both in the infinispan project. This class is not related at all to AuthenticatedClientSessionModel so I cannot reuse the methods from there. So creating them here is more or less the same than creating a utility class in the infinispan section.

Let me know if you have a better idea.

Is it possible to move it to some "util" method instead of having it as a method on AbstractKeycloakTest? Maybe like StorageUtil class can be introduced for this (if there is not something like this already?)

AFAIK some tests still might have issues with "testing client"...

Out of curiosity, why we need to delete the offline session if importUserSession didn't find in the DB? Is it because we want to remove associated offline client sessions?

At this point we now the session is in the offline store but is expired. So it's removed now. If not it will be removed by some scheduled task later. I think that I needed this for the tests (because the sessions created by the new test remained in the store and other tests related with the persister counted them).

This defaults to timestamp while AuthenticatedClientSessionModel.getUserSessionStarted defaults to 0 if USER_SESSION_STARTED_AT_NOTE is not set. Is it intentional?

Yes, it's correct. Previously getTimestamp was always used. So this is maintaining the same behavior just in case. If we use 0 all the session without the note would be expired. Note that we are doing the same in the map part (here).

But why we don't use timestamp in AuthenticatedClientSessionModel but 0 instead?

default int getUserSessionStarted() {
        String started = getNote(USER_SESSION_STARTED_AT_NOTE);
        return started == null ? 0 : Integer.parseInt(started);
}

and older code

default int getStarted() {
        String started = getNote(STARTED_AT_NOTE);
        // Fallback to 0 if "started" note is not available. This can happen for the offline sessions migrated from old version where "startedAt" note was not yet available
        return started == null ? 0 : Integer.parseInt(started);
    }

We can do it, but I really don't know if it can be problematic. In AuthenticatedClientSessionEntity I simply created getUserSessionStarted following the same idea that was in getStarted (so I returned 0).

For the PR the classes that are really used are AuthenticatedClientSessionEntity and MapAuthenticatedClientSessionEntity (which don't implement AuthenticatedClientSessionEntity and re-implement the access to notes).

@mposolda Do you recall why you used 0 as default? To me, this implies that isIssuedBeforeSessionStart check will be always false meaning "legacy" sessions will always pass this check. At the same time, this PR adds https://github.com/keycloak/keycloak/pull/17525/files#diff-fd8b1c47da5ec7ee42d5450d3f7b73cdeef9c08af26b825c9245e3e6052c5cdfR1090 and https://github.com/keycloak/keycloak/pull/17525/files#diff-fd8b1c47da5ec7ee42d5450d3f7b73cdeef9c08af26b825c9245e3e6052c5cdfR1130 that uses timestamp instead 0.

Where I am heading with this, isn't better to use timestamp at the first place unless Marek remembers reasons why he used 0?

Yes, @martin-kanis, I can give it a try to see it brings any issue. We can change both methods to return the timestamp instead of 0 in AuthenticatedClientSessionEntity.

@martin-kanis @rmartinc This is good catch!

I recall this was added in this commit https://github.com/keycloak/keycloak/pull/8130/files#diff-b4014a5e9c73d54dc98153e6fa64803e21ab0646a75566cf74ca9a02abbb18db . And some related story behind that is described in this JIRA description https://issues.redhat.com/browse/KEYCLOAK-18368 .

The 0 was just a fallback, which was only used for "offline client sessions" migrated from previous version (As those offline client sessions didn't have "startedAt" note on them). In other words when it would use timestamp instead of 0 in that PR, we wouldn't be able to refresh offline tokens from previous version due this possible scenario:

• Offline token issued on old server (before KEYCLOAK-18368) at time 1000
• Keycloak server stopped and started with new Keycloak version (with KEYCLOAK-18368 applied)
• Refresh of the offline token at time 2000 would fail due this check https://github.com/keycloak/keycloak/blob/21.1.1/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L186-L189

Note that this check is needed exactly because of the scenario described in https://issues.redhat.com/browse/KEYCLOAK-18368. But at the same time, we should make sure that offline tokens from previous version must be possible to refresh. So that's the story of why it was originally added :-)

Now some thoughts for this PR:

IMO the ideal is, if this fallback to 0 (or timestamp) is effectively not needed anywhere. It looks that the only case how the USER_SESSION_STARTED_AT_NOTE note won't be present is (again) the offline sessions migrated from previous version?

AFAIK we don't need to care about new store as we don't support migrating of offline sessions created with the new store in previous versions. Is it correct @martin-kanis ? So we likely need to care just about old store and the offline sessions coming from UserSessionPersister.

So as long as all client sessions returned by JpaUserSessionPersisterProvider have this note on them, we should be good. If we always have corresponding UserSession (which AFAIK we have), we can just use userSession.getStarted() to fill that note before saving those persisted sessions in infinispan?

Also I wonder if AuthenticatedClientSessionModel.getUserSessionStarted() could be updated like this in this PR?

    default int getUserSessionStarted() {
        String started = getNote(USER_SESSION_STARTED_AT_NOTE);
        return started == null ? getUserSession().getStarted() : Integer.parseInt(started);
    }

In other words, fallback to look at userSession.getStarted() instead of using hardcoded value of 0 (or timestamp). Ideal is if AuthenticatedClientSessionEntity also has access to userSession, so it can look into it, but I suppose this would require some bigger refactoring, which we don't want to do in this PR?

In shortcut: In MigrationTest we have scenario for testing refresh of the offline-token from previous version. So it seems that this PR should be tested with MigrationTest to make sure it works. AFAIK MigrationTest is not yet in GH actions, so this may need to be done manually.

I have tested this with the MigrationTest and it works (mariadb only, but I think that's enough). I have also done two little changes:

• The change proposed by @mposolda in AuthenticatedClientSessionModel.getUserSessionStarted.
• And I also modified these lines commented by @martin-kanis. He is right and if 0 the previous check for isIssuedBeforeSessionStart fails.

For the previous comments, I think that returning 0 in AuthenticatedClientSessionModel interface is necessary. Not changing anything there in this PR for the moment.

WDYT now?

@mposolda Thanks for the explanation. Also the proposed changes make sense to me. So @rmartinc LGTM

This defaults to timestamp while AuthenticatedClientSessionModel.getStarted defaults to 0 if STARTED_AT_NOTE is not set. Is it intentional?

Yep, the same.