Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering

Describe the bug

Hi,
we migrated to Keycloak 26.2.4 and we get quite frequently (at least once a day for 1500 login attempts) the following error ERROR: duplicate key value violates unique constraint "constraint_offl_us_ses_pk2"

Note that we have 2 keycloak instances targeting the same DB but when the error occur there is no switching from 1 server to another (all the logs are from the same instance).

The DB is postgresql 15.10. The KC_CACHE is set to ispn and KC_CACHE_STACK to jdbc-ping.

I tried to reproduce manually and find some patterns but could not.

Note that the error occurs on a realm where all the clients are SAML clients from other realms. The login flow just redirects to an external IDP.

Any idea what it could be ?

Here are the relevant logs
``keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.882084464Z","sequence":10854,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.events","level":"DEBUG","message":"type="LOGIN", realmId="bu-id-broker-stg", realmName="bu-id-broker-stg", clientId="https://idb.anonymized.dummy/realms/myrealm\", userId="dc2768ec-c117-44fd-bc48-bf1d6f4348fb", sessionId="c40fb9ca-77fa-470a-b568-3faa73f4308b", ipAddress="147.161.181.93", identity_provider="external-idp", identity_provider_broker_session_id="external-idp.W7eTaDz6LXUJyYvmZNDfO0jSNiA=YEj25A==", redirect_uri="https://idb.anonymized.dummy/realms/myrealm/broker/sso-via-bu-idp/endpoint\", consent="no_consent_required", identity_provider_identity="myuniqueid", code_id="c40fb9ca-77fa-470a-b568-3faa73f4308b", username="me@anonymized.com", authSessionParentId="c40fb9ca-77fa-470a-b568-3faa73f4308b", authSessionTabId="jefMdwKZha8"","threadName":"executor-thread-26","threadId":96,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1}
keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.913635582Z","sequence":10857,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker","level":"WARN","message":"Running single changes in iteration 2 for 1 entries","threadName":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","threadId":42,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1}
keycloak-idp-0 {"timestamp":"2025-06-10T09:53:32.930590244Z","sequence":10859,"loggerClassName":"org.jboss.logging.Logger","loggerName":"org.keycloak.services.error.KeycloakErrorHandler","level":"ERROR","message":"Uncaught server error","threadName":"executor-thread-26","threadId":96,"mdc":{},"ndc":"","hostName":"keycloak-idp-0","processName":"/usr/lib/jvm/java-21-openjdk-21.0.7.0.6-1.el9.x86_64/bin/java","processId":1,"exception":{"refId":1,"exceptionType":"java.lang.RuntimeException","message":"unable to complete the session updates","frames":[{"class":"org.keycloak.models.sessions.infinispan.changes.JpaChangesPerformer","method":"applyChanges","line":112},{"class":"java.lang.Iterable","method":"forEach","line":75},{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsChangelogBasedTransaction","method":"commitImpl","line":222},{"class":"org.keycloak.models.AbstractKeycloakTransaction","method":"commit","line":46},{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"lambda$commitWithTracing$0","line":169},{"class":"org.keycloak.tracing.NoopTracingProvider","method":"trace","line":59},{"class":"org.keycloak.tracing.NoopTracingProvider","method":"trace","line":69},{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"commitWithTracing","line":168},{"class":"org.keycloak.services.DefaultKeycloakTransactionManager","method":"commit","line":146},{"class":"org.keycloak.services.DefaultKeycloakSession","method":"closeTransactionManager","line":396},{"class":"org.keycloak.services.DefaultKeycloakSession","method":"close","line":361},{"class":"org.keycloak.models.KeycloakBeanProducer_ProducerMethod_getKeycloakSession_XoSEUTXOsE3bpqXlGMAykCiECUM_ClientProxy","method":"close"}

...
{"class":"org.keycloak.models.utils.KeycloakModelUtils","method":"runJobInTransaction","line":330},{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","method":"process","line":97},{"class":"org.keycloak.models.sessions.infinispan.changes.PersistentSessionsWorker$BatchWorker","method":"run","line":76}],"causedBy":{"exception":{"refId":3,"exceptionType":"org.postgresql.util.PSQLException","message":"ERROR: duplicate key value violates unique constraint "constraint_offl_us_ses_pk2"\n Detail: Key (user_session_id, offline_flag)=(c40fb9ca-77fa-470a-b568-3faa73f4308b, 0) already exists``

Version

26.2.4

Regression

• The issue is a regression

Expected behavior

No login error.

Actual behavior

We get random 500 errors while authenticating.

How to Reproduce?

I am unable to.

Anything else?

No response