On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi guys,
I experience some performance issue on my API server using Keycloak.
After someone issue a GET on my API server, here is what happens:
- API server -> DB server: get requested resources
- API server -> Keycloak: get client token (to get resources)
- API server -> Keycloak: get resources (to complement DB server with
resource owner & visibility)
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
At this point the filtered resources are returned.
But this process is quite slow. I noticed a call to KC can take up to
100ms.
The complete call on the API server can take up to 600ms on my laptop, in
localhost setting.
The delays become noticeable on my UI...
Are you able to confirm the step(s) spending more time to process ? If when
obtaining client tokens, resources or during evaluation ?
Also, could you elaborate more what this step is doing: "- API server ->
Keycloak: get resources (to complement DB server with
resource owner & visibility)" ?
With a resource SPI strategy (if developed), it should be:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
- Keycloak -> DB server: get resources
There is a little less requests. Additional gain is that resources are not
split between 2 databases.
I wonder if resources could be pushed during the permission request? Like a
"pushed claim".
This would be even more straightforward:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission and push resources
Can this work?
I think this is an area we might want to improve in order to allow
evaluating permissions solely based on claims pushed to the server. That
means you won't need to manage resources in the server but rely on policies
to process the "pushed claims".
+1
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user