[keycloak-user] Permissions: Slow/complex interactions

Tue Jul 24 06:54:35 EDT 2018

Hi guys,
I experience some performance issue on my API server using Keycloak.
After someone issue a GET on my API server, here is what happens:

- API server -> DB server: get requested resources
- API server -> Keycloak: get client token (to get resources)
- API server -> Keycloak: get resources (to complement DB server with
resource owner & visibility)
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
At this point the filtered resources are returned.

But this process is quite slow. I noticed a call to KC can take up to 100ms.
The complete call on the API server can take up to 600ms on my laptop, in
localhost setting.
The delays become noticeable on my UI...

With a resource SPI strategy (if developed), it should be:

- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
- Keycloak -> DB server: get resources

There is a little less requests. Additional gain is that resources are not
split between 2 databases.

I wonder if resources could be pushed during the permission request? Like a
"pushed claim".
This would be even more straightforward:

- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission and push resources

Can this work?