Skip to content

Avoid holding on to the realm in cached configurations #43758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahus1 merged 1 commit into from
Oct 28, 2025
Merged

Avoid holding on to the realm in cached configurations #43758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -727,13 +727,13 @@ public OAuth2DeviceConfig getOAuth2DeviceConfig() {
@Override
public CibaConfig getCibaPolicy() {
if (isUpdated()) return updated.getCibaPolicy();
return cached.getCibaConfig(session, modelSupplier);
return cached.getCibaConfig(modelSupplier);
}

@Override
public ParConfig getParPolicy() {
if (isUpdated()) return updated.getParPolicy();
return cached.getParConfig(session, modelSupplier);
return cached.getParConfig(modelSupplier);
}

@Override
Expand Down
12 changes: 4 additions & 8 deletions ...l/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedRealm.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,6 @@ public class CachedRealm extends AbstractExtendableRevisioned {
protected int accessCodeLifespanUserAction;
protected int accessCodeLifespanLogin;
protected LazyLoader<RealmModel, OAuth2DeviceConfig> deviceConfig;
protected LazyLoader<RealmModel, CibaConfig> cibaConfig;
protected LazyLoader<RealmModel, ParConfig> parConfig;
protected int actionTokenGeneratedByAdminLifespan;
protected int actionTokenGeneratedByUserLifespan;
protected int notBefore;
Expand Down Expand Up @@ -229,8 +227,6 @@ public CachedRealm(Long revision, RealmModel model) {
accessTokenLifespanForImplicitFlow = model.getAccessTokenLifespanForImplicitFlow();
accessCodeLifespan = model.getAccessCodeLifespan();
deviceConfig = new DefaultLazyLoader<>(OAuth2DeviceConfig::new, null);
cibaConfig = new DefaultLazyLoader<>(CibaConfig::new, null);
parConfig = new DefaultLazyLoader<>(ParConfig::new, null);
accessCodeLifespanUserAction = model.getAccessCodeLifespanUserAction();
accessCodeLifespanLogin = model.getAccessCodeLifespanLogin();
actionTokenGeneratedByAdminLifespan = model.getActionTokenGeneratedByAdminLifespan();
Expand Down Expand Up @@ -531,12 +527,12 @@ public OAuth2DeviceConfig getOAuth2DeviceConfig(KeycloakSession session, Supplie
return deviceConfig.get(session, modelSupplier);
}

public CibaConfig getCibaConfig(KeycloakSession session, Supplier<RealmModel> modelSupplier) {
return cibaConfig.get(session, modelSupplier);
public CibaConfig getCibaConfig(Supplier<RealmModel> modelSupplier) {
return new CibaConfig(modelSupplier.get());
}

public ParConfig getParConfig(KeycloakSession session, Supplier<RealmModel> modelSupplier) {
return parConfig.get(session, modelSupplier);
public ParConfig getParConfig(Supplier<RealmModel> modelSupplier) {
return new ParConfig(modelSupplier.get());
}

public int getActionTokenGeneratedByAdminLifespan() {
Expand Down
1 change: 1 addition & 0 deletions server-spi/src/main/java/org/keycloak/models/AbstractConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

public abstract class AbstractConfig implements Serializable {

@Deprecated(since = "26.5", forRemoval = true)
protected transient Supplier<RealmModel> realm;

// Make sure setters are not called when calling this from constructor to avoid DB updates
Expand Down
30 changes: 13 additions & 17 deletions server-spi/src/main/java/org/keycloak/models/CibaConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ public class CibaConfig extends AbstractConfig {
public static final int DEFAULT_CIBA_POLICY_INTERVAL = 5;
public static final String DEFAULT_CIBA_POLICY_AUTH_REQUESTED_USER_HINT = "login_hint";

private String backchannelTokenDeliveryMode = DEFAULT_CIBA_POLICY_TOKEN_DELIVERY_MODE;
private int expiresIn = DEFAULT_CIBA_POLICY_EXPIRES_IN;
private int poolingInterval = DEFAULT_CIBA_POLICY_INTERVAL;
private String authRequestedUserHint = DEFAULT_CIBA_POLICY_AUTH_REQUESTED_USER_HINT;
private String backchannelTokenDeliveryMode;
private int expiresIn;
private int poolingInterval;
private String authRequestedUserHint;

// client attribute names
public static final String OIDC_CIBA_GRANT_ENABLED = "oidc.ciba.grant.enabled";
Expand All @@ -54,23 +54,19 @@ public class CibaConfig extends AbstractConfig {
public static final String CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG = "ciba.backchannel.auth.request.signing.alg";

public CibaConfig(RealmModel realm) {
this.realm = () -> realm;

setBackchannelTokenDeliveryMode(realm.getAttribute(CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE));

String expiresIn = realm.getAttribute(CIBA_EXPIRES_IN);

if (StringUtil.isNotBlank(expiresIn)) {
setExpiresIn(Integer.parseInt(expiresIn));
this.backchannelTokenDeliveryMode = realm.getAttribute(CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE);
if (this.backchannelTokenDeliveryMode == null) {
this.backchannelTokenDeliveryMode = DEFAULT_CIBA_POLICY_TOKEN_DELIVERY_MODE;
}

String interval = realm.getAttribute(CIBA_INTERVAL);
this.expiresIn = realm.getAttribute(CIBA_EXPIRES_IN, DEFAULT_CIBA_POLICY_EXPIRES_IN);

if (StringUtil.isNotBlank(interval)) {
setPoolingInterval(Integer.parseInt(interval));
}
this.poolingInterval = realm.getAttribute(CIBA_INTERVAL, DEFAULT_CIBA_POLICY_INTERVAL);

setAuthRequestedUserHint(realm.getAttribute(CIBA_AUTH_REQUESTED_USER_HINT));
this.authRequestedUserHint = realm.getAttribute(CIBA_AUTH_REQUESTED_USER_HINT);
if (authRequestedUserHint == null) {
authRequestedUserHint = DEFAULT_CIBA_POLICY_AUTH_REQUESTED_USER_HINT;
}

this.realmForWrite = () -> realm;
}
Expand Down
12 changes: 2 additions & 10 deletions server-spi/src/main/java/org/keycloak/models/ParConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@
*/
package org.keycloak.models;

import org.keycloak.utils.StringUtil;

public class ParConfig extends AbstractConfig {

// realm attribute names
Expand All @@ -26,19 +24,13 @@ public class ParConfig extends AbstractConfig {
// default value
public static final int DEFAULT_PAR_REQUEST_URI_LIFESPAN = 60; // sec

private int requestUriLifespan = DEFAULT_PAR_REQUEST_URI_LIFESPAN;
private int requestUriLifespan;

// client attribute names
public static final String REQUIRE_PUSHED_AUTHORIZATION_REQUESTS = "require.pushed.authorization.requests";

public ParConfig(RealmModel realm) {
this.realm = () -> realm;

String requestUriLifespan = realm.getAttribute(PAR_REQUEST_URI_LIFESPAN);

if (StringUtil.isNotBlank(requestUriLifespan)) {
setRequestUriLifespan(Integer.parseInt(requestUriLifespan));
}
this.requestUriLifespan = realm.getAttribute(PAR_REQUEST_URI_LIFESPAN, DEFAULT_PAR_REQUEST_URI_LIFESPAN);

this.realmForWrite = () -> realm;
}
Expand Down
Loading