We have a performance issue with the token exchange service in a realm
with a large amount of users.
The problem seems to be that token exchange uses client permissions to
evaluate if a client to client token exchange is allowed. The client
permissions evaluator
(org.keycloak.services.resources.admin.permissions.ClientPermissions#canExchangeTo)
creates a new ClientModelIdentity object which in the constructor also
loads the client's service account user model, if one exists.
The service account user lookup result for clients without service
account enabled, isn't cached. Since the service_account_client_link
column in the user_entity database table isn't indexed, this lookup
causes a table scan which takes several seconds for each token
exchange.
One way to solve this, is to cache the empty service account user lookup.
I have pushed a proof of concept at
https://github.com/keycloak/keycloak/compare/master...knutz3n:cache-empty...
Is this something you would consider merging? Do you have suggestions
for improvement on this fix? Do you know of other places which must
trigger an eviction in addition to
org.keycloak.services.managers.ClientManager#enableServiceAccount?
- Johannes