[keycloak-user] Performance loss migrating from Keycloak 1.7.0 to Keycloak 2.5.5/3.x

Stian Thorgersen sthorger at redhat.com
Mon May 29 07:48:25 EDT 2017


1.7.0 had a single hash iteration, in 1.9 that was bumped to 20K. That's
probably the single source of the difference in performance. You can change
it through the admin console, but we recommend keeping the value high to
make sure passwords are stored safely.

On 24 May 2017 at 10:25, Dmitry Telegin <mitya at cargosoft.ru> wrote:

> Hi Bill,
>
> By the way, can we roughly estimate the amount of memory allocated per
> each cached user?
>
> We are planning a deployment with ~4M users, so I'm wondering if the
> entire user set can fit into RAM of a typical server? If yes, do you
> think it would be a good idea to write an extension for cache warm-up?
> (i.e., to launch a background thread upon Keycloak startup that would
> gradually load all the users into cache) I think that could improve
> response times for restarted / newly added cluster nodes.
>
> Thanks,
> Dmitry
>
> > Entire user is cached (role mappings, attributes, etc.) the first
> > time
> > it is accessed.  Maybe in your old User Federation Provider, you
> > loaded
> > stuff on demand?  Another thing you could try is to ditch the
> > import.
> > The new User Storage Model supports a non-import mode if you
> > implement
> > it correctly.
> >
> >
> > On 5/16/17 9:09 AM, Vito Vessia wrote:
> > > Hi all,
> > > we have adopted Keycloak as foundation for our identity services
> > > since the
> > > beginning (july 2015) and after an initial development period we
> > > developed
> > > our federation/mail/whatever providers we fixed the underlyng
> > > Keyckoak
> > > version to 1.7.0 for more than one year.
> > > Recently we have upgraded to Keycloak 2.5.5 doing a big reworking
> > > related
> > > to the new architecture of the former Federation providers, etc...
> > > The first impression is the it is more robust and stable, but it
> > > seems to
> > > be slower then the 1.7.0 version. Without any SPI installed, using
> > > a raw
> > > keycloak realm, on the same machine the pure login via OpenId
> > > Connect
> > > endpoints takes:
> > >
> > > 30 ms on Keycloak 1.7.0 (average value after 100 logins)
> > > 100 ms on Keycloak 2.5.5 (average value after 100 logins)
> > >
> > > We get the same gap both with H2 and Oracle database.
> > >
> > > If we mount our SPI providers (User Storage and others), the gap is
> > > greater
> > > but of course it could be an issue into our code after the
> > > migration to the
> > > new SPI architecture.
> > >
> > > Is there a specific reason for this gap? (i.e. a better management
> > > of the
> > > concurrency).
> > > Is there a specific setting/strategy to improve the performance?
> > >
> > > The configuration has been tested both on Linux and Windows on a
> > > standalone
> > > server. The Wildfly -Xmx has been set to 1g on both the Keycloak
> > > version.
> > >
> > > --Vito Vessia
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list