OpenGate/ Docs

Caching (Redis)

OpenGate IAM uses Redis 7 for session storage, token blacklisting, rate limiting, and distributed caching.

What Is Cached

DataTTLService
User sessionsConfigurable (default 30 days)Session Service
Refresh tokens30 daysAuth Service
Revoked / blacklisted tokensUntil expiryAuth Service
OTP codes (email / SMS)10 minutesMFA Service
Rate limit counters1 minuteGateway

Connection Configuration

application.ymlyaml
spring:
data:
  redis:
    host: ${REDIS_HOST:localhost}
    port: ${REDIS_PORT:6379}
    password: ${REDIS_PASSWORD:}
    timeout: 2000ms
    lettuce:
      pool:
        max-active: 8
        max-idle: 8
        min-idle: 2
        max-wait: -1ms

Session Storage

Sessions are stored as Redis hashes with a structured key:

session:{realmId}:{sessionId}  →  Hash { userId, roles, createdAt, expiresAt, ... }

TTL is set on creation and refreshed on each token renewal.

Token Blacklist

When a user logs out or a token is revoked, the JTI (JWT ID) is stored in Redis until the token's natural expiry:

blacklist:jti:{jwtId}  →  "1"  (expires at token exp)

The Gateway checks this key on every request before forwarding to downstream services.

Redis AUTH (Password)

Enable Redis authentication in redis.conf:

redis.confconf
requirepass your-strong-redis-password

Set the password in all service environment variables:

REDIS_PASSWORD=your-strong-redis-password

Enable Redis AUTH in production

An unprotected Redis instance exposes all sessions and tokens. Always set a strong password.

Redis Sentinel (High Availability)

For production HA, configure Redis Sentinel:

application.ymlyaml
spring:
data:
  redis:
    sentinel:
      master: mymaster
      nodes:
        - sentinel1:26379
        - sentinel2:26379
        - sentinel3:26379
    password: ${REDIS_PASSWORD}

Redis Cluster

For horizontal scaling:

spring:
data:
  redis:
    cluster:
      nodes:
        - redis-node-1:6379
        - redis-node-2:6379
        - redis-node-3:6379
      max-redirects: 3

Flushing Cache (Development)

# Connect to Redis CLI
redis-cli -h localhost -p 6379 -a your-password

# Flush all keys (CAUTION: logs out all users)
FLUSHALL

# Delete a specific session
DEL session:master:abc123

# List blacklisted tokens
KEYS blacklist:jti:*

Never run FLUSHALL in production

This will invalidate all active sessions and force every user to log in again.

Monitoring

Use redis-cli monitor or expose Redis metrics via Redis Exporter for Prometheus:

# Key memory stats
INFO memory

# Connected clients
INFO clients

# Hit/miss ratio
INFO stats | grep keyspace