[keycloak-dev] Slow Direct Grants API endpoint

Daniel Baxter daniel.baxter at cira.ca
Thu Feb 5 08:56:01 EST 2015 

Hi,

We finally got some load testing done with our system and with the hash adjustments it was pretty close to the same performance we were seeing before porting over. One thing I noticed is that every Direct Grants Access creates a session in Keycloak. Is it possible to perform a sessionless grant or at least get back the same session?

A note about our architecture. We have 2 interfaces to our app; 1 web which runs in container with the EJB services and uses the web authentication perfectly. The second interface is a netty app that runs outside of the JBoss container to handle network api requests into our system with a specific protocol that is then handed over to the EJB services running in JBoss using a Remoting endpoint. In Weblogic we got a WorkContext when we did this which allowed us to authenticate against the EJB services once per session. However, JBoss seems to be missing the concept of a WorkContext and we are required to pass over java.naming.security.principal and java.naming.security.credentials with the jndi properties every time we do a Remote EJB call. This is where we are using Direct Grants Authentication because the jndi props are passing over only a username and password to the services and we have been required to authenticate each time to access the services.

Now I want to avoid having to ping back with a Logout message on each call termination because it will add the travel time as lag to each API call and would prefer a sessionless authentication. Or is there a known tool or API for maintaining the Remoting session on JBoss similar to how the WorkContext works on Weblogic so we don't have to authenticate every hop over the Remoting endpoint.

If there is sample code for Keycloak authenticated Remoting app to look at that might also be helpful.

Thanks,

Daniel

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Tuesday, February 03, 2015 2:59 AM
To: Daniel Baxter
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint

Yep, that would do it ;)

The hashing algorithm used by Keycloak is PBKDF2 and we only use 1 iteration by default, but we highly recommend increasing that though. We should probably also considering increasing the default.

It's hard to give a definitive answer to this question as it is all relative, but for increased safety I'd say you should be looking at 5-10K iterations. Obviously the higher the better and you can and should cluster Keycloak for increased scalability and availability.

----- Original Message -----
> From: "Daniel Baxter" <daniel.baxter at cira.ca>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 2 February, 2015 5:03:44 PM
> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> 
> Hi,
> 
> I have just finished some testing on 1.1.0 Final and found that the 
> core problem was that through an abundance of caution we have 
> configured hash iterations to 100,000 (which I of course typoed to 1M 
> on Beta 2 when I configured it). The performance delta between 1.0 and 
> 1.1 is explained by the typo there. However, even with the change to 
> 100K in place I found the end point was still too slow (600~800ms) and 
> discovered that it scaled linearly down as I reduced the iterations.
> 
> So I guess the question now is how many iterations is the default and 
> how many would be a recommended "overly cautious" amount of 
> iterations. I understand that keycloak defaults to Bcrypt hashing 
> which is designed explicitly to be computationally expensive so I 
> imagine iterations in the scope of 10-50 is probably sufficient to keep the passwords safe.
> 
> - Daniel
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Thursday, January 15, 2015 7:37 AM
> To: Daniel Baxter
> Cc: keycloak-dev at lists.jboss.org
> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> 
> Just ran some perf tests with default settings, 10 users and 10000 requests:
> 
>   Version                Average (ms)    Throughput
>   -------------------------------------------------
>   1.0.4.Final            18              468
>   1.1.0.Beta2            19              470
>   1.1.0.Final-SNAPSHOT   20              426
> 
> 
> ----- Original Message -----
> > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 14 January, 2015 3:56:03 PM
> > Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > Honestly I don't know how to check what is being used. I assume it 
> > would be whatever Keycloak Appliance defaults to. I checked with the 
> > guy who configured 1.0.4 for the other application and he doesn't 
> > know what we are using or how to configure it either. Sorry.
> > 
> > - Daniel
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: Wednesday, January 14, 2015 9:19 AM
> > To: Daniel Baxter
> > Cc: keycloak-dev at lists.jboss.org
> > Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > What user session provider are you using?
> > 
> > ----- Original Message -----
> > > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-dev at lists.jboss.org
> > > Sent: Wednesday, 14 January, 2015 3:01:17 PM
> > > Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> > > 
> > > I am working with our ops team to configure 1.1.x with the same 
> > > level of hardware as our development 1.0.4 system (right now it is 
> > > running locally on a XEON workstation with piles of RAM).
> > > 
> > > Both are connected to postgres databases and I am the only person 
> > > working on this portion of the project so it is just 1 user at a 
> > > time right now for 1.1.x. I have tested the database connection 
> > > and there is no real discernable performance irregularities for 
> > > anything that runs against that database.
> > > 
> > > For Keycloak itself, it is mostly straight out of the box 
> > > appliance install for both 1.0.4 and 1.1.x and it runs on a single 
> > > machine for development use (I believe our prod deployment is/will be clustered).
> > > The performance I am seeing is timeable on a stop watch for 1.1 
> > > and near enough to instant for
> > > 1.0.4 (under 500 ms). Easily an order of magnitude. Given the 
> > > response I got (regarding the unexpectedness of the slow 
> > > behaviour) I want to make sure I have a completely fair comparison 
> > > and am working to set up
> > > 1.1 on a dedicated development server to make the comparison 
> > > completely fair.
> > > 
> > > - Daniel
> > > 
> > > -----Original Message-----
> > > From: Stian Thorgersen [mailto:stian at redhat.com]
> > > Sent: Wednesday, January 14, 2015 8:46 AM
> > > To: Daniel Baxter
> > > Cc: keycloak-dev at lists.jboss.org
> > > Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> > > 
> > > Direct grants are expected to be a little bit slower in 1.1.x due 
> > > to the requirement to persist more, but should certainly not be seconds.
> > > 
> > > Can you give some more details please? Including
> > > 
> > > * What DB are you using?
> > > * Are you using mem, infinispan or jpa user session provider?
> > > * Clustered?
> > > * How many concurrent requests/users are you testing with?
> > > 
> > > Any more accurate performance stats would also be helpful
> > > 
> > > ----- Original Message -----
> > > > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > > > To: keycloak-dev at lists.jboss.org
> > > > Sent: Monday, 12 January, 2015 9:23:42 PM
> > > > Subject: [keycloak-dev] Slow Direct Grants API endpoint
> > > > 
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > 
> > > > 
> > > > I am attempting to integrate Keycloak into an existing 
> > > > application to replace the homegrown user management system in 
> > > > place. We have a new project built from the ground up on 
> > > > Keycloak 1.0.4.Final which is exhibiting good performance. 
> > > > However this app that I am porting has a remoting component that 
> > > > connects to the server with bare username/password credentials 
> > > > over the EJB Remoting framework. I was hoping to use 1.1.0 
> > > > (currently Beta2) which provides a DirectAccessGrantsLoginModule 
> > > > which does exactly what I want (turns username and password into a KeycloakPrincipal).
> > > > However, the turn around time from Keycloak is on the order of 
> > > > several seconds.
> > > > 
> > > > 
> > > > 
> > > > I have used a bare REST client to execute the POSTs to both our
> > > > 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an 
> > > > order of magnitude difference in getting a response. Is this a 
> > > > known issue (I cannot find anything in the public bugs/tasks 
> > > > list)? Or is this due to the Beta status leaving additional 
> > > > performance affecting logging or instrumentation in place?
> > > > 
> > > > 
> > > > 
> > > > Thanks,
> > > > 
> > > > 
> > > > 
> > > > Daniel
> > > > 
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > 
> > 
>

More information about the keycloak-dev mailing list