Sorry, just getting caught up...
The default is 1 iteration because I don't want people trying out
keycloak and saying "You are SLOW!". The default should be either 1 or
20k as anything more or less is pointless. My vote is to keep it at 1
iteration and let the user decide how safe they want to be.
On 2/3/2015 2:59 AM, Stian Thorgersen wrote:
Yep, that would do it ;)
The hashing algorithm used by Keycloak is PBKDF2 and we only use 1 iteration by default,
but we highly recommend increasing that though. We should probably also considering
increasing the default.
It's hard to give a definitive answer to this question as it is all relative, but for
increased safety I'd say you should be looking at 5-10K iterations. Obviously the
higher the better and you can and should cluster Keycloak for increased scalability and
availability.
----- Original Message -----
> From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 2 February, 2015 5:03:44 PM
> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>
> Hi,
>
> I have just finished some testing on 1.1.0 Final and found that the core
> problem was that through an abundance of caution we have configured hash
> iterations to 100,000 (which I of course typoed to 1M on Beta 2 when I
> configured it). The performance delta between 1.0 and 1.1 is explained by
> the typo there. However, even with the change to 100K in place I found the
> end point was still too slow (600~800ms) and discovered that it scaled
> linearly down as I reduced the iterations.
>
> So I guess the question now is how many iterations is the default and how
> many would be a recommended "overly cautious" amount of iterations. I
> understand that keycloak defaults to Bcrypt hashing which is designed
> explicitly to be computationally expensive so I imagine iterations in the
> scope of 10-50 is probably sufficient to keep the passwords safe.
>
> - Daniel
>
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian@redhat.com]
> Sent: Thursday, January 15, 2015 7:37 AM
> To: Daniel Baxter
> Cc: keycloak-dev(a)lists.jboss.org
> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>
> Just ran some perf tests with default settings, 10 users and 10000 requests:
>
> Version Average (ms) Throughput
> -------------------------------------------------
> 1.0.4.Final 18 468
> 1.1.0.Beta2 19 470
> 1.1.0.Final-SNAPSHOT 20 426
>
>
> ----- Original Message -----
>> From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Wednesday, 14 January, 2015 3:56:03 PM
>> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>>
>> Honestly I don't know how to check what is being used. I assume it
>> would be whatever Keycloak Appliance defaults to. I checked with the
>> guy who configured 1.0.4 for the other application and he doesn't know
>> what we are using or how to configure it either. Sorry.
>>
>> - Daniel
>>
>> -----Original Message-----
>> From: Stian Thorgersen [mailto:stian@redhat.com]
>> Sent: Wednesday, January 14, 2015 9:19 AM
>> To: Daniel Baxter
>> Cc: keycloak-dev(a)lists.jboss.org
>> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>>
>> What user session provider are you using?
>>
>> ----- Original Message -----
>>> From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Wednesday, 14 January, 2015 3:01:17 PM
>>> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
>>>
>>> I am working with our ops team to configure 1.1.x with the same
>>> level of hardware as our development 1.0.4 system (right now it is
>>> running locally on a XEON workstation with piles of RAM).
>>>
>>> Both are connected to postgres databases and I am the only person
>>> working on this portion of the project so it is just 1 user at a
>>> time right now for 1.1.x. I have tested the database connection and
>>> there is no real discernable performance irregularities for anything
>>> that runs against that database.
>>>
>>> For Keycloak itself, it is mostly straight out of the box appliance
>>> install for both 1.0.4 and 1.1.x and it runs on a single machine for
>>> development use (I believe our prod deployment is/will be clustered).
>>> The performance I am seeing is timeable on a stop watch for 1.1 and
>>> near enough to instant for
>>> 1.0.4 (under 500 ms). Easily an order of magnitude. Given the
>>> response I got (regarding the unexpectedness of the slow behaviour)
>>> I want to make sure I have a completely fair comparison and am
>>> working to set up
>>> 1.1 on a dedicated development server to make the comparison
>>> completely fair.
>>>
>>> - Daniel
>>>
>>> -----Original Message-----
>>> From: Stian Thorgersen [mailto:stian@redhat.com]
>>> Sent: Wednesday, January 14, 2015 8:46 AM
>>> To: Daniel Baxter
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
>>>
>>> Direct grants are expected to be a little bit slower in 1.1.x due to
>>> the requirement to persist more, but should certainly not be seconds.
>>>
>>> Can you give some more details please? Including
>>>
>>> * What DB are you using?
>>> * Are you using mem, infinispan or jpa user session provider?
>>> * Clustered?
>>> * How many concurrent requests/users are you testing with?
>>>
>>> Any more accurate performance stats would also be helpful
>>>
>>> ----- Original Message -----
>>>> From: "Daniel Baxter" <daniel.baxter(a)cira.ca>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Monday, 12 January, 2015 9:23:42 PM
>>>> Subject: [keycloak-dev] Slow Direct Grants API endpoint
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> I am attempting to integrate Keycloak into an existing application
>>>> to replace the homegrown user management system in place. We have
>>>> a new project built from the ground up on Keycloak 1.0.4.Final
>>>> which is exhibiting good performance. However this app that I am
>>>> porting has a remoting component that connects to the server with
>>>> bare username/password credentials over the EJB Remoting
>>>> framework. I was hoping to use 1.1.0 (currently Beta2) which
>>>> provides a DirectAccessGrantsLoginModule which does exactly what I
>>>> want (turns username and password into a KeycloakPrincipal).
>>>> However, the turn around time from Keycloak is on the order of several
>>>> seconds.
>>>>
>>>>
>>>>
>>>> I have used a bare REST client to execute the POSTs to both our
>>>> 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an
>>>> order of magnitude difference in getting a response. Is this a
>>>> known issue (I cannot find anything in the public bugs/tasks
>>>> list)? Or is this due to the Beta status leaving additional
>>>> performance affecting logging or instrumentation in place?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>>
>>>>
>>>> Daniel
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev