Recently we ran into a case where a misconfigured API user created some 40000 active sessions in a short time (that remained open). Signs of strain was showing at around 15000 sessions onwards when Infinispan began timing out (distributed cache config) and Keycloak began crashing (Java heap space out of memory). I think it's more to do with the memory/heap size at runtime - double check the Total Memory under Server Info on the admin console. If you are running Keycloak in a Docker container, note that the standard Keycloak image has hard coded
-Xmx512m (512MB max heap size). We overrode it by passing in
JAVA_OPTS="-XX:+UseContainerSupport -XX:InitialRAMPercentage=10 -XX:MaxRAMPercentage=90" (You cannot use JAVA_OPTS_APPEND because -Xmx will supersede the use of -XX:MaxRAMPercentage). Also we have added into our custom Event Listener that, on LOGIN events, if a user is found with more than, say, 1000 active sessions opened, it would automatically remove the oldest 200.