<div dir="ltr">As I stated several times before the server should be more than capable to handle 200 concurrent users.<div><br></div><div>I don't understand what your issues are as we have no problems with that type of load when we're benchmarking. We also have plenty of users of Keycloak that has higher loads than you have. So I'm not sure what your actually issues are. KEYCLOAK-3057 will not necessarily fix your issues, it's not a high priority to add and won't be the default (RSA is the expected signature format for JWTs).</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 June 2016 at 11:48, Vaibhav Naldurgkar <span dir="ltr"><<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Stian,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I noticed that there is an Enhancement added for similar performance issues through 3057
<a href="https://issues.jboss.org/browse/KEYCLOAK-3057" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-3057</a> . I am looking forward for the release of 2.0.X, could you let me know if this helps to improve performance issue which I am facing.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Vaibhav<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Thursday, May 26, 2016 11:17 AM</span></p><div><div class="h5"><br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage<u></u><u></u></div></div><p></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Again, CPU load is expected to be high while having 20 threads send as many requests as they can. It's the total throughput that matters here.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">There are loads of tuning you can do, but you should be able to get decent numbers without any tuning.<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On 26 May 2016 at 07:09, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I still wondering what odd configuration I am following on my RHEL VM which is not sustaining few user
request when checked from the output of top command. Could you please suggest if there are any Java specific parameters needs to be tuned for performance improvement. If needed I will share my configuration files for reference.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Below is the screenshot of top output during one of the load test.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">
</span><u></u><u></u></p>
<p class="MsoNormal"><img border="0" width="670" height="161" src="cid:image001.png@01D1C586.773ED0F0"><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#333399"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#333399"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#333399">Thanks, Vaibhav</span></b><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Wednesday, May 25, 2016 12:40 PM<br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> Herzberg, Manuel; <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">
keycloak-user@lists.jboss.org</a></span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">I did some tests with Linux VM when investigating how Keycloak scales. I had Keycloak running on a VM that was permitted 50% of a single core and had a throughput of 50 scenarios.
Where a scenario includes a login request, a code to token request and a logout request. In our performance lab with a single node and a not particularly beefy machine we're seeing 150+ scenarios/second.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On 24 May 2016 at 16:05, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Hello,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">What are the tests results on a Linux VM ? I just done same jmeter tests on AWS m4.xlarge instance; however
far behind than the laptop tests results.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">@Stian – have you done tests using Linux VM ?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">Thanks, Vaibhav</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Herzberg, Manuel [mailto:<a href="mailto:manuel.herzberg@atos.net" target="_blank">manuel.herzberg@atos.net</a>]
<br>
<b>Sent:</b> Tuesday, May 24, 2016 5:52 PM<br>
<b>To:</b> <a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>; Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> RE: [keycloak-user] Keycloak OAuth High CPU usage</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Hello,
<br>
<br>
I am evaluating the Keycloak performance. Here my practical experience. My scenario is the same as Vaibhav’s:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Large amount of token have to be generated. This is done by requesting the Keycloak token REST endpoint via http. The different realms I am using have 1k 2k 3k and 4k keys for signing the
tokens. (RSA) Longer keys result to longer runtime to generate these tokens.</span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Arial",sans-serif">I have more than 10k user each realm. Each request includes a new user.
<br>
Requests look like this: <br>
host1:8080/auth/realms/demo-3072/protocol/openid-connect/token/ <br>
with data:<br>
username=testuser1&password=password&client_id=customer-portal&grant_type=password</span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Arial",sans-serif">The response includes 3 tokens(access, refresh and id). In total more than 30 000 token have to be generated and signed.</span><u></u><u></u></p>
<p><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">@Stian. You wrote you are able to invoke 10000 token refreshes in under 60 seconds. A token refresh includes access, refresh and id token right? Can you explain us
your scenario? How do you get such a high number?<br>
<br>
Some more results: just signing 3000 Token (800 Byte each) with a 2k key takes me 20 seconds (laptop i5-4310U, 12gb ram). I am doing this outside Keycloak with my own java program, but with the same implementation Keycloak is using. (sign() method in RSAProvider).</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">The Keycloak implementation is signing tokens with RSA. HMAC and ECC are implemented as well as I saw in the code.
Changing from RSA to HMAC or ECC is not possible in current release as i experienced. Are there plans to provide this in future? Defining this in a configuration file or via parameters would be nice.</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;font-family:"Arial",sans-serif">Best regards, Manuel Herzberg</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma",sans-serif">
<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a> [<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">mailto:keycloak-user-bounces@lists.jboss.org</a>]
<b>On Behalf Of </b>Stian Thorgersen<br>
<b>Sent:</b> Tuesday, May 24, 2016 8:31 AM<br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On 23 May 2016 at 10:02, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Yes, the direct access grant is ON for this client. I am trying to understand what you mean by “not
planning on using web based flow?” Could you provide more clarification on this.</span><u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">If you are planning to do the web based flow (authorization code grant flow) you should test with that rather than direct grant. That being said the direct grant should still perform
as well.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">This is what the scenario I am trying to execute and still have high CPU usages for KeyCloak Java process.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The end point URL /auth/realms/master/protocol/openid-connect/token has been called by Jmeter for 20 concurrent users per seconds to generate the tokens.</span><u></u><u></u></p>
<p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Even if used with crul command like “<i>curl -X POST -d "=admin&password=admin&password&client_id=HelloTest&grant_type=password"
<a href="http://localhost:8080/auth/realms/master/protocol/openid-connect/token" target="_blank">
http://localhost:8080/auth/realms/master/protocol/openid-connect/token</a></i>” , in this case also the CPU utilizations goes around 100%.</span><u></u><u></u></p>
<p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:Symbol;color:#1f497d">·</span><span style="font-size:7.0pt;color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> After around 3 seconds of the test, in the output of top command on the KeyCloak server the CPU% for keycloak java process goes beyond 100%.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Would it be possible for you to have a quick call for faster fix of this issue. This performance issue
is holding to move KeyCloak to use as OAuth provider. If any other way is convenient for you please let me know for further discussion.</span><u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Your JMeter test is using 20 concurrent threads to send as many requests to the direct grant api as it can. This will obviously cause Keycloak to consume a high percentage of the
CPU. Especially if you are running everything on localhost as the network isn't going to be a bottleneck. Neither will the database as Keycloak caches everything in memory. The bottleneck will be the CPU.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Authenticating users and obtaining a token requires password hashing as well as signing tokens, both are mainly CPU intensive. As you are using the direct grant api there's also
less network traffic.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">You need to add some reports to your JMeter test so you can see how many requests Keycloak can handle. That way you can find out how many users can be authenticated per-second on
your machine.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">If you only have 500 users remember they won't all login at the same time (seconds). Even if they all login at 9am sharp they will be spread out over 10 minutes or so, which would
only be 1.2 logins/second.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Vaibhav</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Monday, May 23, 2016 12:01 PM</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">You are using direct grant to authenticate a user and obtain a token in the example above. This authenticates and creates a new session for each request. Are you not planning on
using web based flow?<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">What do you have password hashing intervals set to? Verifying password is CPU intensive, more than signing tokens.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">It shouldn't matter that user is stored in RedHat IdM as the user would be cached in Keycloak after first authentication, but it may be an idea to just double check by trying to
authenticate to a user in Keycloak and not RH IdM.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">What results are you actually getting?<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On 20 May 2016 at 11:27, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Stian,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">After reading your tests results of 10000 token refreshes in under 60 seconds on your laptop, I am
sure I am not following correct configuration and the documents are missing for reference.
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Could you please verify the below steps along with the screen-shots for the steps which I am following
for the adding client and testing the Load performance using Jmeter. Please suggest if any changes are needed in the client configuration. In this case we are obtaining the token for user from KeyCloak.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">In my case the user have been stored on RedHat IdM which has been federated using KeyCloak. </span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Step 1. Create new client called “LoadTest” , use the Client Protocol as “Openid-connect”.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-indent:.5in">
<span style="font-family:"Calibri",sans-serif">Used all defaults values post save of the client action.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-family:"Calibri",sans-serif">Step 2. Start the load tests using Jmeter and using the path as
</span><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">“/auth/realms/master/protocol/openid-connect/token”</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
</span><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:black">.
</span><span style="font-family:"Calibri",sans-serif">Used 20 Number of Threads and used Post method.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:black"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:"Segoe UI",sans-serif;color:black">Below is the screen-shot for the step 1 related to Add Client.</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><img border="0" width="1307" height="572" src="cid:image002.png@01D1C586.773ED0F0"><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Below is the screen shot for the load test using Jmeter. In this case the Client ID was used as HelloTest.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><img border="0" width="989" height="300" src="cid:image003.png@01D1C586.773ED0F0"><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Http requests.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><img border="0" width="962" height="299" src="cid:image004.png@01D1C586.773ED0F0"><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Vaibhav</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Friday, May 20, 2016 1:01 PM</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">Can you please elaborate a bit more on how your are testing scenario is? I'm a bit confused to what you are testing when you are talking about generating new tokens. Are you using
OIDC or SAML? Are you talking about code->token exchanges, refresh token requests, or what?<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">To test if your hardware is capable to deal with the load you need to test logins (verifying passwords are CPU intensive) as well as obtaining tokens (both code->token, done after
login, and refreshing token, done ~1 min or so by active users, but most users won't continuously use the application).<u></u><u></u></p>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">500 users should be no problem at all. As an example with a single thread (which will use a single core) I could invoke 10000 token refreshes in under 60 seconds on my laptop. So
a single core on my laptop should be able to handle 500 users.<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On 20 May 2016 at 08:00, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi Stian,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you for your reply.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">The new tokens needs to be generated for each user, which is needed from security point of view. The
performance tests were also conducted using single Admin user and token for admin user; however in that case the performance was not good. In between 15th to 20th admin token access requests – the CPU usage of keycloak Java process was crossing 90 to 120%
mark.</span><u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">As you have mentioned, Creating tokes are expected to be a bit CPU intensive – what should be the server
configuration in terms of CPU to deal with more than 500 users to use keycloak as OAuth provider.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks, Vaibhav</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> Thursday, May 19, 2016 6:28 PM<br>
<b>To:</b> Vaibhav Naldurgkar<br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Keycloak OAuth High CPU usage</span><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">Creating tokes are expected to be a bit CPU intensive as they need to be signed. When you say you try to generate tokens for 10-20 users are you doing performance tests and having
10-20 threads generating tokens? It shouldn't make any difference if you have 10 or if you have 200 users, it's the total number of tokens that can be generated that's an issue. Having 200 concurrent users with a access token timeout of 60 seconds should mean
that you need to be able to generate roughly 200/60 tokens = 3.3 tokens/sec.<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal">On 19 May 2016 at 13:24, Vaibhav Naldurgkar <<a href="mailto:vaibhav_naldurgkar@persistent.com" target="_blank">vaibhav_naldurgkar@persistent.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399">Hi All,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399">I am using Keycloak 1.9.3 with default configuration. Keycloak server is installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and
java version is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when we try and generate token(<a href="http://auth/realms/master/protocol/openid-connect/token" target="_blank">http:///auth/realms/master/protocol/openid-connect/token</a>)
for more than 10-20 users the server gets too slow and cpu usage goes over 100%.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399">Any pointers on how to improve performance of keycloak OAuth provider. We need to support at least 200 concurrent users.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#333399">Thanks, Vaibhav</span><u></u><u></u></p>
</div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p>DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient,
you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails. <u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div><div><div class="h5">
<p>DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
</p>
</div></div></div>
</blockquote></div><br></div>