Regarding Duende Token Clean Up Job: Duende.IdentityServer.EntityFramework.TokenCleanupService

[vinakumar]

Which version of Duende IdentityServer are you using?
7.0.8

Which version of .NET are you using?
8.0

I have a few questions regarding the Token Cleanup Service—specifically how it works and its behavior, based on what I’ve observed in the code. here

From my understanding:

The job runs in batches and continues until all expired records are deleted.
However, in the documentation, the TokenCleanupBatchSize property is described as the "number of records," which seems a bit misleading. Based on the code, it appears to define the batch size, not the total number of records to delete.

• Our Current Configuration:

TokenCleanupBatchSize: 100
TokenCleanupInterval: 3600 (seconds)

• Please see the below configuration we have done at our end for Operational Store Settings:

.AddOperationalStore<DatabaseContext>(options =>
{
    options.ResolveDbContextOptions = DatabaseContext.InitializeDbContextBuilderOptions;

    options.EnableTokenCleanup = isTokenCleanupEnabled;

    options.RemoveConsumedTokens = operationalStoreSettings.RemoveConsumedTokens;

    options.TokenCleanupInterval = operationalStoreSettings.TokenCleanupInterval;

    options.TokenCleanupBatchSize = operationalStoreSettings.TokenCleanupBatchSize;
})

This suggests that the cleanup job is scheduled to run every hour, deleting expired grants in batches of 100.

However, after reviewing our application logs, it seems the job is not running consistently on a daily basis. We're also unsure about the exact time the job is triggered. In production, we often accumulate millions of expired records, and since the job doesn’t run regularly, our database size increases significantly. From observation, it seems the job runs only once every 7–10 days, which leads to a large backlog of expired records.

Could you please help clarify the following:

• What is the actual schedule or trigger mechanism for the token cleanup job?
• Is there a fixed time when the job runs?
• Under what conditions does the job execute?

Any insights or recommendations to improve the reliability of this process would be greatly appreciated.

• Please find below the versions of Identity Server & related packages we are using:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <IsPackable>true</IsPackable>
	<IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.12.0" />
    <PackageReference Include="Duende.IdentityServer.AspNetIdentity" Version="7.0.8" />
    <PackageReference Include="Duende.IdentityServer.EntityFramework" Version="7.0.8" />
    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.14" />
    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.14" />
    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.14" />
    <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="8.0.14" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.14" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.14" />
    <PackageReference Include="Microsoft.Identity.Client" Version="4.71.1" />
    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.2" />
    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.2" />
    <PackageReference Include="prometheus-net" Version="8.2.1" />
    <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
    <PackageReference Include="Serilog.Enrichers.Environment" Version="3.0.1" />
    <PackageReference Include="Serilog.Enrichers.Sensitive" Version="1.7.3" />
    <PackageReference Include="Serilog.Extensions.Hosting" Version="9.0.0" />
    <PackageReference Include="Serilog.Expressions" Version="5.0.0" />
    <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0" />
    <PackageReference Include="Serilog.Sinks.Async" Version="2.1.0" />
    <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
    <PackageReference Include="Serilog.Sinks.Elasticsearch" Version="8.4.1" />
    <PackageReference Include="Serilog.Sinks.File" Version="7.0.0" />
    <PackageReference Include="System.Formats.Asn1" Version="9.0.2" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.2" />
    <PackageReference Include="System.Runtime.Caching" Version="9.0.2" />
    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="9.0.2" />
    <PackageReference Include="System.Text.Json" Version="9.0.2" />
	  <PackageReference Include="Ticketmaster.HealthCheck.AspNetCore" Version="2.5.0" />
	  <PackageReference Include="Ticketmaster.HealthCheck.Core" Version="3.5.0" />
	  <PackageReference Include="Ticketmaster.HealthCheck.Dependencies.SqlServer" Version="2.3.0" />
	  <PackageReference Include="Ticketmaster.HealthCheck.Prometheus" Version="2.4.0" />
	  <PackageReference Include="Ticketmaster.Monitoring.AspNetCore" Version="4.1.1" />
    <PackageReference Include="TMS.API.Client.Contracts" Version="1.4.3" />
    <PackageReference Include="TMS.OpenTelemetry.AspNetCore" Version="2.1.1" />
    <PackageReference Include="TMS.VaultClient" Version="2.8.2" />
  </ItemGroup>

  <ItemGroup>
    <ProjectReference Include="..\TMS.IdentityServer.Core\TMS.IdentityServer.Core.csproj" />
  </ItemGroup>

  <ItemGroup>
    <Folder Include="DataProtection\" />
  </ItemGroup>
</Project>

[wcabus]

When enabled, the cleanup service should run on the configured interval. The first time it runs, the delay is slightly different because of fuzzing being applied (if configured), but each subsequent run happens on the interval defined in the TokenCleanupInterval property. The reason why we apply this fuzzing delay, is to prevent multiple instances of IdentityServer to run the cleanup service simultaneously.

TheTokenCleanupBatchSize parameter indeed defines the number of records to clean up per delete operation instead of the total number of records that will be removed per run. The cleanup service will continue to clean up expired records as long as it finds enough data to delete (found >= TokenCleanupBatchSize).

Are you hosting IdentityServer as an Azure Function, Azure App Service or another kind of hosted service which isn't configured to be "always on" by any chance? The IdentityServer host needs to be running to ensure the cleanup service regularly performs its task.

[vinakumar]

Our Identity Server instances are deployed on AWS EC2. On our end, it's a multi-tenant application, meaning multiple tenants are using the same instance of the application.

The Identity Server instance is always available, which is why we're trying to understand the inconsistency in the Duende Token Cleanup job. Despite the instance being up continuously, the cleanup job does not run consistently.

As I mentioned earlier, the job appears to run approximately every 8–10 days. When it does run, it cleans up a large number of expired tokens, but then it stops running again. Meanwhile, expired tokens continue to accumulate in the database.

I've already shared the configured schedule for the Duende Token Cleanup job. We’re trying to understand why it’s not executing regularly despite the server being always available.

[vinakumar]

@wcabus
Could you please review my response when you get a chance?
I'd appreciate it if you could share your feedback.
Thanks in advance!

[wcabus]

Could you temporarily change the log levels to gain more debug data? This would help us in seeing when or if the cleanup host service starts its cleanup tasks, and if any issues are being logged while doing so.

If you're using Serilog, these are the log levels to use:

"Serilog": {
  "MinimumLevel": {
    "Default": "Warning",
      "Override": {

        "Microsoft.Extensions.DependencyInjection": "Debug",

        "Duende.IdentityServer.EntityFramework": "Debug"
    }
  }
}

Please ensure to sanitize any log output before posting it here. We're specifically looking for log lines containing:

• Starting grant removal
• Error entries from either Microsoft.EntityFrameworkCore.Database.Command or Duende.IdentityServer.EntityFramework.TokenCleanupService

[vinakumar]

Thank you for your response. I’ll review it to see if the suggested approach is feasible on our end.

Most likely, we’ll proceed with your recommendations and will share further updates accordingly.

Thanks again!