[keycloak-dev] Slow Direct Grants API endpoint

Stian Thorgersen stian at redhat.com
Tue Feb 3 02:59:00 EST 2015 

Yep, that would do it ;)

The hashing algorithm used by Keycloak is PBKDF2 and we only use 1 iteration by default, but we highly recommend increasing that though. We should probably also considering increasing the default.

It's hard to give a definitive answer to this question as it is all relative, but for increased safety I'd say you should be looking at 5-10K iterations. Obviously the higher the better and you can and should cluster Keycloak for increased scalability and availability.

----- Original Message -----
> From: "Daniel Baxter" <daniel.baxter at cira.ca>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 2 February, 2015 5:03:44 PM
> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> 
> Hi,
> 
> I have just finished some testing on 1.1.0 Final and found that the core
> problem was that through an abundance of caution we have configured hash
> iterations to 100,000 (which I of course typoed to 1M on Beta 2 when I
> configured it). The performance delta between 1.0 and 1.1 is explained by
> the typo there. However, even with the change to 100K in place I found the
> end point was still too slow (600~800ms) and discovered that it scaled
> linearly down as I reduced the iterations.
> 
> So I guess the question now is how many iterations is the default and how
> many would be a recommended "overly cautious" amount of iterations. I
> understand that keycloak defaults to Bcrypt hashing which is designed
> explicitly to be computationally expensive so I imagine iterations in the
> scope of 10-50 is probably sufficient to keep the passwords safe.
> 
> - Daniel
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Thursday, January 15, 2015 7:37 AM
> To: Daniel Baxter
> Cc: keycloak-dev at lists.jboss.org
> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> 
> Just ran some perf tests with default settings, 10 users and 10000 requests:
> 
>   Version                Average (ms)    Throughput
>   -------------------------------------------------
>   1.0.4.Final            18              468
>   1.1.0.Beta2            19              470
>   1.1.0.Final-SNAPSHOT   20              426
> 
> 
> ----- Original Message -----
> > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 14 January, 2015 3:56:03 PM
> > Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > Honestly I don't know how to check what is being used. I assume it
> > would be whatever Keycloak Appliance defaults to. I checked with the
> > guy who configured 1.0.4 for the other application and he doesn't know
> > what we are using or how to configure it either. Sorry.
> > 
> > - Daniel
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: Wednesday, January 14, 2015 9:19 AM
> > To: Daniel Baxter
> > Cc: keycloak-dev at lists.jboss.org
> > Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > What user session provider are you using?
> > 
> > ----- Original Message -----
> > > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-dev at lists.jboss.org
> > > Sent: Wednesday, 14 January, 2015 3:01:17 PM
> > > Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> > > 
> > > I am working with our ops team to configure 1.1.x with the same
> > > level of hardware as our development 1.0.4 system (right now it is
> > > running locally on a XEON workstation with piles of RAM).
> > > 
> > > Both are connected to postgres databases and I am the only person
> > > working on this portion of the project so it is just 1 user at a
> > > time right now for 1.1.x. I have tested the database connection and
> > > there is no real discernable performance irregularities for anything
> > > that runs against that database.
> > > 
> > > For Keycloak itself, it is mostly straight out of the box appliance
> > > install for both 1.0.4 and 1.1.x and it runs on a single machine for
> > > development use (I believe our prod deployment is/will be clustered).
> > > The performance I am seeing is timeable on a stop watch for 1.1 and
> > > near enough to instant for
> > > 1.0.4 (under 500 ms). Easily an order of magnitude. Given the
> > > response I got (regarding the unexpectedness of the slow behaviour)
> > > I want to make sure I have a completely fair comparison and am
> > > working to set up
> > > 1.1 on a dedicated development server to make the comparison
> > > completely fair.
> > > 
> > > - Daniel
> > > 
> > > -----Original Message-----
> > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > Sent: Wednesday, January 14, 2015 8:46 AM
> > > To: Daniel Baxter
> > > Cc: keycloak-dev at lists.jboss.org
> > > Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> > > 
> > > Direct grants are expected to be a little bit slower in 1.1.x due to
> > > the requirement to persist more, but should certainly not be seconds.
> > > 
> > > Can you give some more details please? Including
> > > 
> > > * What DB are you using?
> > > * Are you using mem, infinispan or jpa user session provider?
> > > * Clustered?
> > > * How many concurrent requests/users are you testing with?
> > > 
> > > Any more accurate performance stats would also be helpful
> > > 
> > > ----- Original Message -----
> > > > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > > > To: keycloak-dev at lists.jboss.org
> > > > Sent: Monday, 12 January, 2015 9:23:42 PM
> > > > Subject: [keycloak-dev] Slow Direct Grants API endpoint
> > > > 
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I am attempting to integrate Keycloak into an existing application
> > > > to replace the homegrown user management system in place. We have
> > > > a new project built from the ground up on Keycloak 1.0.4.Final
> > > > which is exhibiting good performance. However this app that I am
> > > > porting has a remoting component that connects to the server with
> > > > bare username/password credentials over the EJB Remoting
> > > > framework. I was hoping to use 1.1.0 (currently Beta2) which
> > > > provides a DirectAccessGrantsLoginModule which does exactly what I
> > > > want (turns username and password into a KeycloakPrincipal).
> > > > However, the turn around time from Keycloak is on the order of several
> > > > seconds.
> > > > 
> > > > 
> > > > 
> > > > I have used a bare REST client to execute the POSTs to both our
> > > > 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an
> > > > order of magnitude difference in getting a response. Is this a
> > > > known issue (I cannot find anything in the public bugs/tasks
> > > > list)? Or is this due to the Beta status leaving additional
> > > > performance affecting logging or instrumentation in place?
> > > > 
> > > > 
> > > > 
> > > > Thanks,
> > > > 
> > > > 
> > > > 
> > > > Daniel
> > > > 
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > 
> > 
>

More information about the keycloak-dev mailing list