[keycloak-dev] Slow Direct Grants API endpoint

Bill Burke bburke at redhat.com
Fri Feb 6 10:17:26 EST 2015 

Sorry, just getting caught up...

The default is 1 iteration because I don't want people trying out 
keycloak and saying "You are SLOW!".  The default should be either 1 or 
20k as anything more or less is pointless.  My vote is to keep it at 1 
iteration and let the user decide how safe they want to be.

On 2/3/2015 2:59 AM, Stian Thorgersen wrote:
> Yep, that would do it ;)
>
> The hashing algorithm used by Keycloak is PBKDF2 and we only use 1 iteration by default, but we highly recommend increasing that though. We should probably also considering increasing the default.
>
> It's hard to give a definitive answer to this question as it is all relative, but for increased safety I'd say you should be looking at 5-10K iterations. Obviously the higher the better and you can and should cluster Keycloak for increased scalability and availability.
>
> ----- Original Message -----
>> From: "Daniel Baxter" <daniel.baxter at cira.ca>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, 2 February, 2015 5:03:44 PM
>> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>>
>> Hi,
>>
>> I have just finished some testing on 1.1.0 Final and found that the core
>> problem was that through an abundance of caution we have configured hash
>> iterations to 100,000 (which I of course typoed to 1M on Beta 2 when I
>> configured it). The performance delta between 1.0 and 1.1 is explained by
>> the typo there. However, even with the change to 100K in place I found the
>> end point was still too slow (600~800ms) and discovered that it scaled
>> linearly down as I reduced the iterations.
>>
>> So I guess the question now is how many iterations is the default and how
>> many would be a recommended "overly cautious" amount of iterations. I
>> understand that keycloak defaults to Bcrypt hashing which is designed
>> explicitly to be computationally expensive so I imagine iterations in the
>> scope of 10-50 is probably sufficient to keep the passwords safe.
>>
>> - Daniel
>>
>> -----Original Message-----
>> From: Stian Thorgersen [mailto:stian at redhat.com]
>> Sent: Thursday, January 15, 2015 7:37 AM
>> To: Daniel Baxter
>> Cc: keycloak-dev at lists.jboss.org
>> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>>
>> Just ran some perf tests with default settings, 10 users and 10000 requests:
>>
>>    Version                Average (ms)    Throughput
>>    -------------------------------------------------
>>    1.0.4.Final            18              468
>>    1.1.0.Beta2            19              470
>>    1.1.0.Final-SNAPSHOT   20              426
>>
>>
>> ----- Original Message -----
>>> From: "Daniel Baxter" <daniel.baxter at cira.ca>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 14 January, 2015 3:56:03 PM
>>> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>>>
>>> Honestly I don't know how to check what is being used. I assume it
>>> would be whatever Keycloak Appliance defaults to. I checked with the
>>> guy who configured 1.0.4 for the other application and he doesn't know
>>> what we are using or how to configure it either. Sorry.
>>>
>>> - Daniel
>>>
>>> -----Original Message-----
>>> From: Stian Thorgersen [mailto:stian at redhat.com]
>>> Sent: Wednesday, January 14, 2015 9:19 AM
>>> To: Daniel Baxter
>>> Cc: keycloak-dev at lists.jboss.org
>>> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>>>
>>> What user session provider are you using?
>>>
>>> ----- Original Message -----
>>>> From: "Daniel Baxter" <daniel.baxter at cira.ca>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Wednesday, 14 January, 2015 3:01:17 PM
>>>> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>>>>
>>>> I am working with our ops team to configure 1.1.x with the same
>>>> level of hardware as our development 1.0.4 system (right now it is
>>>> running locally on a XEON workstation with piles of RAM).
>>>>
>>>> Both are connected to postgres databases and I am the only person
>>>> working on this portion of the project so it is just 1 user at a
>>>> time right now for 1.1.x. I have tested the database connection and
>>>> there is no real discernable performance irregularities for anything
>>>> that runs against that database.
>>>>
>>>> For Keycloak itself, it is mostly straight out of the box appliance
>>>> install for both 1.0.4 and 1.1.x and it runs on a single machine for
>>>> development use (I believe our prod deployment is/will be clustered).
>>>> The performance I am seeing is timeable on a stop watch for 1.1 and
>>>> near enough to instant for
>>>> 1.0.4 (under 500 ms). Easily an order of magnitude. Given the
>>>> response I got (regarding the unexpectedness of the slow behaviour)
>>>> I want to make sure I have a completely fair comparison and am
>>>> working to set up
>>>> 1.1 on a dedicated development server to make the comparison
>>>> completely fair.
>>>>
>>>> - Daniel
>>>>
>>>> -----Original Message-----
>>>> From: Stian Thorgersen [mailto:stian at redhat.com]
>>>> Sent: Wednesday, January 14, 2015 8:46 AM
>>>> To: Daniel Baxter
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>>>>
>>>> Direct grants are expected to be a little bit slower in 1.1.x due to
>>>> the requirement to persist more, but should certainly not be seconds.
>>>>
>>>> Can you give some more details please? Including
>>>>
>>>> * What DB are you using?
>>>> * Are you using mem, infinispan or jpa user session provider?
>>>> * Clustered?
>>>> * How many concurrent requests/users are you testing with?
>>>>
>>>> Any more accurate performance stats would also be helpful
>>>>
>>>> ----- Original Message -----
>>>>> From: "Daniel Baxter" <daniel.baxter at cira.ca>
>>>>> To: keycloak-dev at lists.jboss.org
>>>>> Sent: Monday, 12 January, 2015 9:23:42 PM
>>>>> Subject: [keycloak-dev] Slow Direct Grants API endpoint
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> I am attempting to integrate Keycloak into an existing application
>>>>> to replace the homegrown user management system in place. We have
>>>>> a new project built from the ground up on Keycloak 1.0.4.Final
>>>>> which is exhibiting good performance. However this app that I am
>>>>> porting has a remoting component that connects to the server with
>>>>> bare username/password credentials over the EJB Remoting
>>>>> framework. I was hoping to use 1.1.0 (currently Beta2) which
>>>>> provides a DirectAccessGrantsLoginModule which does exactly what I
>>>>> want (turns username and password into a KeycloakPrincipal).
>>>>> However, the turn around time from Keycloak is on the order of several
>>>>> seconds.
>>>>>
>>>>>
>>>>>
>>>>> I have used a bare REST client to execute the POSTs to both our
>>>>> 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an
>>>>> order of magnitude difference in getting a response. Is this a
>>>>> known issue (I cannot find anything in the public bugs/tasks
>>>>> list)? Or is this due to the Beta status leaving additional
>>>>> performance affecting logging or instrumentation in place?
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>> Daniel
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list