11:07 a.m.
Hello everyone,
My team and I have been revisiting some performance issues, namely the ones related to:
https://issues.jboss.org/browse/KEYCLOAK-8275 .
From the comments, I understand that the plan is to re-implement the
data access part of Keycloak, which is why the issues have been closed or put back into
triage. We are planning to roll out a production Keycloak instance in the coming months /
weeks and we've been doing some statistics on the number of clients that we would need
to support: somewhere in the region of 15 000.
Firstly, I'd like to know what the status on the new / improved data access is, as I
couldn't find any information on your Jira. Could you give us an estimate on when it
would be released?
Secondly, assuming that it will take more time until such a high number of clients will be
supported fully, I have a few simple improvements or changes in mind, and we'd gladly
contribute with a PR. They are as follows:
1. New query parameters for the /auth/admin/realms/:realmId/clients endpoint:
- limit (int): restrict the number of results when pulling all clients, useful for the
admin UI as there's no point in pulling 200 pages of stuff, nobody's going to
click the arrows to search manually
- search (bool): if set to true, searches with a case-insensitive "LIKE
%clientId%" query, as currently the search box on the admin UI works only in the case
of an exact match (not particularly useful).
The search flag combined with the limited results will allow admins to search through
clients without the need to pull all the data from the server, causing a timeout. Any
queries performed like before work the same, listing all clients.
2. Removal of "RedirectUtils.getValidRedirectUris()" from the class
LogoutEndpoint (possibly turned on or off via a config flag??). With 15000 clients it took
around 5 minutes for the logout endpoint to return successfully. Without the redirect URI
validation, it finished in milliseconds. Since any redirect URI of any client of the realm
can be used, I don't personally see much use from using it at all. ( see
https://issues.jboss.org/browse/KEYCLOAK-8284 )
3. Minor UI tweak: When pressing enter or clicking on search in the admin client list, a
"Searching..." prompt appears under the seearch box.
!! Talking about UI, I saw a strange thing in the Angular code, it seems that ALL the
clients are pulled from the server when accessing the client details. I added a limit to
that as well as they didn't seem to be used. I don't think the client list should
be pulled by anything, but maybe somebody knows details here.
The PR is submitted at https://github.com/keycloak/keycloak/pull/6320, any feedback would
be appreciated!
Best regards,
Cristian Schuszter