Do you have Caching enabled?
Realm > User Federation > Cache Settings > Cache Policy
I posted to the list a few week ago to point out that with Caching enabled, the Keycloak
was actually making More requests to a custom federated user backend.
I appreciate that you use a different form of user federation, but it is the same
unexpected scenario.
On 3 Jan 2018, at 22:59, Cesar Salazar <csalazar(a)devsu.com>
First of all, thanks for the great work on keycloak!
We are using keycloak for an application, and it was working great (until
we launched to production)
We have 150 users which are connected to an Active Directory using the
Federation functionality.
It works, but the endpoint GET /{realm}/users takes about 23 seconds to
respond (Keycloak running on a container in GKE backed by a mysql server on
Google Cloud SQL).
I enabled mysql logging and the problem seems to be that just for
responding this endpoint, the server makes 901 queries to the database!
These are the queries:
First query, to get the users:
select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_,
userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as
FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_,
userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as
userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where
userentity0_.REALM_ID='my-realm' and
(userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by
Then,* for each user *a query like this, (getting user attributes I guess)
select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as
ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_,
attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_
from USER_ATTRIBUTE attributes0_ where
Then,* for each user* 4 queries similar to this, (getting credentials I
select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_,
credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as
CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as
DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_,
credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_,
credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_,
credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where
credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and
A query with type *totp* is queried 2 times, the other 2 times are queried
with type *hotp* and *password*
and finally one more query* for each user* (getting required actions I
select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION
as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_,
requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION
requiredac0_ where
So, in total, for 150 users, Keycloak is making 901 requests to the
database! If I increase the number to 500 users, will it be 30001
How can this be improved? Is there something wrong I'm doing in the
configuration? Does this happens only with Federated users?
*Cesar Salazar*
Development Manager
skype: cesarsalazar007
P: (213)-291-0752
M: +593 9 2917 160 (Ecuador)
keycloak-user mailing list