Deletion of users imported via user storage federation leaves dangling offline user and client sessions

[thomasdarimont]

Before reporting an issue

• [X] I have searched existing issues
• [X] I have reproduced the issue with the latest release

Area

storage

Describe the bug

Removing users imported by a user storage provider via the "remove imported" action in the admin ui, does not clean up existing offline user sessions and offline client sessions. The many orphaned entries unnecessarily occupy a lot of storage, lead to large backups and can slow down the index maintenance.

Version

21.1.1

Expected behavior

Offline user sessions and associated offline client sessions should also be removed if a federated user is deleted via the "remove imported" action.

Actual behavior

Offline user and client sessions are NOT removed when a federated user is deleted via "remove imported" action.

How to Reproduce?

1) Import a user via user storage federation 2) create a client that supports offline_access 3) create an offline_session for the user for the client 4) look at the database tables offline_user_Session and offline_client_session and look for the user offline session for the given client 5) For the user storage provider execute the "remove imported" action 6) look at the database tables again, the session from before are still there, but there is no user anymore.

Anything else?

No response

[thomasdarimont]

@vmuzikar I think this issue could also be adressed in a 21.1.2 patch release

[vmuzikar]

@thomasdarimont Thanks for the report. This is up to @keycloak/store team to decide. :)

[martin-kanis]

@thomasdarimont Thanks for the report. I was able to reproduce it. Even further when you delete the user storage provider with orphaned sessions in a DB and then you click on sessions tab, you will get:

// in admin console
Unexpected non-whitespace character after JSON at position 2

// in browser console
http://0.0.0.0:8080/admin/realms/master/ui-ext/sessions?first=0&max=101&type=ALL&search=
400 Bad Request 
error : "unknown_error"

// keycloak log
no error

Do you know if this is a regression? In other words, are you aware of an older Keycloak version where this worked?

[thomasdarimont]

@martin-kanis Thanks for looking into it. No, I was not aware of the other problem in the session endpoint :-(

I'll take a quick look.

[martin-kanis]

Looking into code, the orphaned offline sessions (and maybe also regular sessions) are not a new problem. Adding this functionality could be little bit tricky if we don't want to list all users from the user provider and then removing their sessions. Therefore I don't think that this needs to be backported to 21.1.x or strictly fixed in Keycloak 22.

[pedroigor]

@martin-kanis Assigning this to you as you have started this.

Also marking as important because we do need to delete offline sessions when removing (federated) users.

[keycloak-github-bot[bot]]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.

[martin-kanis]

After an investigation, I figured out there is no harm from security perspective related to orphaned sessions. An orphaned session cannot be misused if there in no user found. From the memory footprint perspective we have an expiration in place that will eventually remove those sessions. Also one can use shorter lifespan for imported sessions to the caches. Due to those reasons, and the fact there is no easy and performant solution at hand, we decided to lower the priority for this issue. The fix for the broken UI with orphaned sessions will come with https://github.com/keycloak/keycloak/issues/28801