[keycloak-dev] Slow Direct Grants API endpoint

Daniel Baxter daniel.baxter at cira.ca
Mon Feb 2 11:03:44 EST 2015 

Hi,

I have just finished some testing on 1.1.0 Final and found that the core problem was that through an abundance of caution we have configured hash iterations to 100,000 (which I of course typoed to 1M on Beta 2 when I configured it). The performance delta between 1.0 and 1.1 is explained by the typo there. However, even with the change to 100K in place I found the end point was still too slow (600~800ms) and discovered that it scaled linearly down as I reduced the iterations.

So I guess the question now is how many iterations is the default and how many would be a recommended "overly cautious" amount of iterations. I understand that keycloak defaults to Bcrypt hashing which is designed explicitly to be computationally expensive so I imagine iterations in the scope of 10-50 is probably sufficient to keep the passwords safe.

- Daniel

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Thursday, January 15, 2015 7:37 AM
To: Daniel Baxter
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint

Just ran some perf tests with default settings, 10 users and 10000 requests:

  Version                Average (ms)    Throughput
  -------------------------------------------------
  1.0.4.Final            18              468
  1.1.0.Beta2            19              470
  1.1.0.Final-SNAPSHOT   20              426


----- Original Message -----
> From: "Daniel Baxter" <daniel.baxter at cira.ca>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 14 January, 2015 3:56:03 PM
> Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> 
> Honestly I don't know how to check what is being used. I assume it 
> would be whatever Keycloak Appliance defaults to. I checked with the 
> guy who configured 1.0.4 for the other application and he doesn't know 
> what we are using or how to configure it either. Sorry.
> 
> - Daniel
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Wednesday, January 14, 2015 9:19 AM
> To: Daniel Baxter
> Cc: keycloak-dev at lists.jboss.org
> Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> 
> What user session provider are you using?
> 
> ----- Original Message -----
> > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 14 January, 2015 3:01:17 PM
> > Subject: RE: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > I am working with our ops team to configure 1.1.x with the same 
> > level of hardware as our development 1.0.4 system (right now it is 
> > running locally on a XEON workstation with piles of RAM).
> > 
> > Both are connected to postgres databases and I am the only person 
> > working on this portion of the project so it is just 1 user at a 
> > time right now for 1.1.x. I have tested the database connection and 
> > there is no real discernable performance irregularities for anything 
> > that runs against that database.
> > 
> > For Keycloak itself, it is mostly straight out of the box appliance 
> > install for both 1.0.4 and 1.1.x and it runs on a single machine for 
> > development use (I believe our prod deployment is/will be clustered).
> > The performance I am seeing is timeable on a stop watch for 1.1 and 
> > near enough to instant for
> > 1.0.4 (under 500 ms). Easily an order of magnitude. Given the 
> > response I got (regarding the unexpectedness of the slow behaviour) 
> > I want to make sure I have a completely fair comparison and am 
> > working to set up
> > 1.1 on a dedicated development server to make the comparison 
> > completely fair.
> > 
> > - Daniel
> > 
> > -----Original Message-----
> > From: Stian Thorgersen [mailto:stian at redhat.com]
> > Sent: Wednesday, January 14, 2015 8:46 AM
> > To: Daniel Baxter
> > Cc: keycloak-dev at lists.jboss.org
> > Subject: Re: [keycloak-dev] Slow Direct Grants API endpoint
> > 
> > Direct grants are expected to be a little bit slower in 1.1.x due to 
> > the requirement to persist more, but should certainly not be seconds.
> > 
> > Can you give some more details please? Including
> > 
> > * What DB are you using?
> > * Are you using mem, infinispan or jpa user session provider?
> > * Clustered?
> > * How many concurrent requests/users are you testing with?
> > 
> > Any more accurate performance stats would also be helpful
> > 
> > ----- Original Message -----
> > > From: "Daniel Baxter" <daniel.baxter at cira.ca>
> > > To: keycloak-dev at lists.jboss.org
> > > Sent: Monday, 12 January, 2015 9:23:42 PM
> > > Subject: [keycloak-dev] Slow Direct Grants API endpoint
> > > 
> > > 
> > > 
> > > Hi,
> > > 
> > > 
> > > 
> > > I am attempting to integrate Keycloak into an existing application 
> > > to replace the homegrown user management system in place. We have 
> > > a new project built from the ground up on Keycloak 1.0.4.Final 
> > > which is exhibiting good performance. However this app that I am 
> > > porting has a remoting component that connects to the server with 
> > > bare username/password credentials over the EJB Remoting 
> > > framework. I was hoping to use 1.1.0 (currently Beta2) which 
> > > provides a DirectAccessGrantsLoginModule which does exactly what I 
> > > want (turns username and password into a KeycloakPrincipal). 
> > > However, the turn around time from Keycloak is on the order of several seconds.
> > > 
> > > 
> > > 
> > > I have used a bare REST client to execute the POSTs to both our
> > > 1.0.4 Keycloak and 1.1.0 Keycloak instances and have noted an 
> > > order of magnitude difference in getting a response. Is this a 
> > > known issue (I cannot find anything in the public bugs/tasks 
> > > list)? Or is this due to the Beta status leaving additional 
> > > performance affecting logging or instrumentation in place?
> > > 
> > > 
> > > 
> > > Thanks,
> > > 
> > > 
> > > 
> > > Daniel
> > > 
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
>

More information about the keycloak-dev mailing list