[keycloak-user] Authorization services performance
Pedro Igor Silva
psilva at redhat.com
Wed Aug 22 08:11:15 EDT 2018
On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman <Ori.Doolman at amdocs.com> wrote:
> Hi,
>
> We are using Policy Enforcer in Java client (JBOSS FUSE) to send the
> permission ticket to Keycloak PDP for evaluating a pre-configured
> Javascript policy rule.
> We are using Keycloak version 2.5.5.
>
> Is that evaluation in Keycloak PDP occur in-memory, or does it perform a
> DB access each time?
>
If cache is warm, it should not happen any database hits. We cache not only
entities (resources, policies, etc) but also specific queries that are
executed during evaluation.
In latest version, 4.3.0.Final, we delivered quite a few performance
improvements to the evaluation engine like removal of redundant code and
refactoring to optimize execution and decision cache on a per authorization
request basis. We are still working on some other improvements as this is
one of our main goals for future releases.
I would recommend you to try latest version. There are other improvements
too that I think you may benefit. Things like being able to define response
format (if just a decision, list of granted permissions or standard oauth2
response), limit the number of permissions that the server should process,
pushed claims (with or without permission tickets), additional methods to
the evaluation api, etc.
>
> Thanks,
>
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
>
> +972 9 778 6914 (office)
> +972 50 9111442 (mobile)
>
> [cid:image001.png at 01D2C8DE.BFF33E10]
>
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based
> system. Any emails sent to Amdocs will be processed and stored using such
> system and are accessible by third party providers of such system on a
> limited basis. Your sending of emails to Amdocs evidences your consent to
> the use of such system and such processing, storing and access”.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list