10:56 a.m.
Hi guys,
I noticed that if I request permissions with one client, it is faster than
with another one.
For instance:
TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m0,196s*
user 0m0,000s
sys 0m0,006s
TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m2,142s*
user 0m0,006s
sys 0m0,006s
The only difference between the two commands is the client (highlighted in
red). With the second client, it takes 2 seconds more consistently.
Any idea? I might be a cache problem...
Cheers
Corentin
8:54 a.m.
Hi,
The resource set is the same in both scenarios as they are related to
api-server. The same goes for permissions and policies.
I don't know what may be causing this difference, but maybe you can find a
clue when running the evaluation tool to compare how evaluation is
performed in both situations.
On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi guys,
I noticed that if I request permissions with one client, it is faster than
with another one.
For instance:
TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m0,196s*
user 0m0,000s
sys 0m0,006s
TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`
time curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $TOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
*real 0m2,142s*
user 0m0,006s
sys 0m0,006s
The only difference between the two commands is the client (highlighted in
red). With the second client, it takes 2 seconds more consistently.
Any idea? I might be a cache problem...
Cheers
Corentin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 a.m.
Each grant type is processed in different branches of Token Endpoint thus they might (and
very likely will) have different performance.
Its well known that enabling fine grained access control generates extra load as these
permissions needs to be read somehow.
Kind regards,
Łukasz
--
Code-House
http://code-house.org <http://code-house.org/>
On 27 May 2019, at 15:54, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
Hi,
The resource set is the same in both scenarios as they are related to
api-server. The same goes for permissions and policies.
I don't know what may be causing this difference, but maybe you can find a
clue when running the evaluation tool to compare how evaluation is
performed in both situations.
On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
> Hi guys,
> I noticed that if I request permissions with one client, it is faster than
> with another one.
> For instance:
>
> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
> -d
>
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m0,196s*
> user 0m0,000s
> sys 0m0,006s
>
> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
> -d
>
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m2,142s*
> user 0m0,006s
> sys 0m0,006s
>
> The only difference between the two commands is the client (highlighted in
> red). With the second client, it takes 2 seconds more consistently.
> Any idea? I might be a cache problem...
> Cheers
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:26 a.m.
Hi Pedro and Luke,
I tried with the "evaluate" tab in the UI.
Just by changing the client in the evaluate tab (first dropbox), I obtain
significant performance changes:
- with "api-server" client: 2.5 seconds.
- with "dashboard" client: 5 seconds.
With the API, the difference is even more significant (200ms vs 2s)
Note that the resources belong to "api-server". So it might be some
communication delay between the clients as suggested by Luke (if I
understood correctly)?
On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi,
The resource set is the same in both scenarios as they are related to
api-server. The same goes for permissions and policies.
I don't know what may be causing this difference, but maybe you can find a
clue when running the evaluation tool to compare how evaluation is
performed in both situations.
On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
> Hi guys,
> I noticed that if I request permissions with one client, it is faster than
> with another one.
> For instance:
>
> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
> -d
>
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
> |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m0,196s*
> user 0m0,000s
> sys 0m0,006s
>
> TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
> -d
>
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
> |
> jq .access_token -r`
> time curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $TOKEN" -d
>
>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
> *real 0m2,142s*
> user 0m0,006s
> sys 0m0,006s
>
> The only difference between the two commands is the client (highlighted in
> red). With the second client, it takes 2 seconds more consistently.
> Any idea? I might be a cache problem...
> Cheers
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:48 a.m.
Is there a difference in the number of permissions/resources granted on
each run?
Maybe, permissions are being run twice when using dashboard. Still not
clear to me why. I would need to reproduce this behavior somehow.
Is there any client mapper associated with dashboard that is not set to
api-server ?
On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
Hi Pedro and Luke,
I tried with the "evaluate" tab in the UI.
Just by changing the client in the evaluate tab (first dropbox), I obtain
significant performance changes:
- with "api-server" client: 2.5 seconds.
- with "dashboard" client: 5 seconds.
With the API, the difference is even more significant (200ms vs 2s)
Note that the resources belong to "api-server". So it might be some
communication delay between the clients as suggested by Luke (if I
understood correctly)?
On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hi,
>
> The resource set is the same in both scenarios as they are related to
> api-server. The same goes for permissions and policies.
>
> I don't know what may be causing this difference, but maybe you can find
> a clue when running the evaluation tool to compare how evaluation is
> performed in both situations.
>
> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Hi guys,
>> I noticed that if I request permissions with one client, it is faster
>> than
>> with another one.
>> For instance:
>>
>> TOKEN=`curl -X POST -H "Content-Type:
application/x-www-form-urlencoded"
>> -d
>>
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>> -H
>> "Authorization: Bearer $TOKEN" -d
>>
>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m0,196s*
>> user 0m0,000s
>> sys 0m0,006s
>>
>> TOKEN=`curl -X POST -H "Content-Type:
application/x-www-form-urlencoded"
>> -d
>>
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>> time curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>> -H
>> "Authorization: Bearer $TOKEN" -d
>>
>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>> *real 0m2,142s*
>> user 0m0,006s
>> sys 0m0,006s
>>
>> The only difference between the two commands is the client (highlighted
>> in
>> red). With the second client, it takes 2 seconds more consistently.
>> Any idea? I might be a cache problem...
>> Cheers
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
9:52 a.m.
If you try to evaluate for a single resource/permissions, do you also see
the difference ?
On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Is there a difference in the number of permissions/resources granted
on
each run?
Maybe, permissions are being run twice when using dashboard. Still not
clear to me why. I would need to reproduce this behavior somehow.
Is there any client mapper associated with dashboard that is not set to
api-server ?
On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> Hi Pedro and Luke,
> I tried with the "evaluate" tab in the UI.
> Just by changing the client in the evaluate tab (first dropbox), I obtain
> significant performance changes:
> - with "api-server" client: 2.5 seconds.
> - with "dashboard" client: 5 seconds.
> With the API, the difference is even more significant (200ms vs 2s)
>
> Note that the resources belong to "api-server". So it might be some
> communication delay between the clients as suggested by Luke (if I
> understood correctly)?
>
>
> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> The resource set is the same in both scenarios as they are related to
>> api-server. The same goes for permissions and policies.
>>
>> I don't know what may be causing this difference, but maybe you can find
>> a clue when running the evaluation tool to compare how evaluation is
>> performed in both situations.
>>
>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>> corentin.dupont(a)gmail.com> wrote:
>>
>>> Hi guys,
>>> I noticed that if I request permissions with one client, it is faster
>>> than
>>> with another one.
>>> For instance:
>>>
>>> TOKEN=`curl -X POST -H "Content-Type:
>>> application/x-www-form-urlencoded"
>>> -d
>>>
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> |
>>> jq .access_token -r`
>>> time curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $TOKEN" -d
>>>
>>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>> *real 0m0,196s*
>>> user 0m0,000s
>>> sys 0m0,006s
>>>
>>> TOKEN=`curl -X POST -H "Content-Type:
>>> application/x-www-form-urlencoded"
>>> -d
>>>
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> |
>>> jq .access_token -r`
>>> time curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $TOKEN" -d
>>>
>>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>> *real 0m2,142s*
>>> user 0m0,006s
>>> sys 0m0,006s
>>>
>>> The only difference between the two commands is the client (highlighted
>>> in
>>> red). With the second client, it takes 2 seconds more consistently.
>>> Any idea? I might be a cache problem...
>>> Cheers
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
10:07 a.m.
There seem to be a difference when evaluating only one permission. But it's
difficult to see as times are very short.
- with "api-server" client: around 0,035s
- with "dashboard" client: around 0,050s
But the response times are quite variables.
On Mon, May 27, 2019 at 4:52 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
If you try to evaluate for a single resource/permissions, do you also
see
the difference ?
On Mon, May 27, 2019 at 11:48 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Is there a difference in the number of permissions/resources granted on
> each run?
>
> Maybe, permissions are being run twice when using dashboard. Still not
> clear to me why. I would need to reproduce this behavior somehow.
>
> Is there any client mapper associated with dashboard that is not set to
> api-server ?
>
> On Mon, May 27, 2019 at 11:26 AM Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Hi Pedro and Luke,
>> I tried with the "evaluate" tab in the UI.
>> Just by changing the client in the evaluate tab (first dropbox), I
>> obtain significant performance changes:
>> - with "api-server" client: 2.5 seconds.
>> - with "dashboard" client: 5 seconds.
>> With the API, the difference is even more significant (200ms vs 2s)
>>
>> Note that the resources belong to "api-server". So it might be some
>> communication delay between the clients as suggested by Luke (if I
>> understood correctly)?
>>
>>
>> On Mon, May 27, 2019 at 3:54 PM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> The resource set is the same in both scenarios as they are related to
>>> api-server. The same goes for permissions and policies.
>>>
>>> I don't know what may be causing this difference, but maybe you can
>>> find a clue when running the evaluation tool to compare how evaluation is
>>> performed in both situations.
>>>
>>> On Sat, May 25, 2019 at 1:12 PM Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I noticed that if I request permissions with one client, it is faster
>>>> than
>>>> with another one.
>>>> For instance:
>>>>
>>>> TOKEN=`curl -X POST -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>>
'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>>>> "
>>>>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m0,196s*
>>>> user 0m0,000s
>>>> sys 0m0,006s
>>>>
>>>> TOKEN=`curl -X POST -H "Content-Type:
>>>> application/x-www-form-urlencoded"
>>>> -d
>>>>
'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*'
>>>> "
>>>>
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>> time curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $TOKEN" -d
>>>>
>>>>
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions"
>>>> *real 0m2,142s*
>>>> user 0m0,006s
>>>> sys 0m0,006s
>>>>
>>>> The only difference between the two commands is the client
>>>> (highlighted in
>>>> red). With the second client, it takes 2 seconds more consistently.
>>>> Any idea? I might be a cache problem...
>>>> Cheers
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
2040
days inactive
2042
days old
6 comments
3 participants
participants (3)
-
Corentin Dupont -
luke@code-house.org -
Pedro Igor Silva