[keycloak-dev] Performance concerns and improvements for large numbers of clients [KEYCLOAK-8275]

Cristian Schuszter cristian.schuszter at cern.ch
Wed Sep 18 12:07:44 EDT 2019 

Hello everyone,

My team and I have been revisiting some performance issues, namely the ones related to: https://issues.jboss.org/browse/KEYCLOAK-8275 .

>From the comments, I understand that the plan is to re-implement the data access part of Keycloak, which is why the issues have been closed or put back into triage. We are planning to roll out a production Keycloak instance in the coming months / weeks and we've been doing some statistics on the number of clients that we would need to support: somewhere in the region of 15 000.

Firstly, I'd like to know what the status on the new / improved data access is, as I couldn't find any information on your Jira. Could you give us an estimate on when it would be released?

Secondly, assuming that it will take more time until such a high number of clients will be supported fully, I have a few simple improvements or changes in mind, and we'd gladly contribute with a PR. They are as follows:

1. New query parameters for the /auth/admin/realms/:realmId/clients endpoint:
  - limit (int): restrict the number of results when pulling all clients, useful for the admin UI as there's no point in pulling 200 pages of stuff, nobody's going to click the arrows to search manually
  - search (bool): if set to true, searches with a case-insensitive "LIKE %clientId%" query, as currently the search box on the admin UI works only in the case of an exact match (not particularly useful).

  The search flag combined with the limited results will allow admins to search through clients without the need to pull all the data from the server, causing a timeout. Any queries performed like before work the same, listing all clients.

2. Removal of "RedirectUtils.getValidRedirectUris()" from the class LogoutEndpoint (possibly turned on or off via a config flag??). With 15000 clients it took around 5 minutes for the logout endpoint to return successfully. Without the redirect URI validation, it finished in milliseconds. Since any redirect URI of any client of the realm can be used, I don't personally see much use from using it at all. ( see https://issues.jboss.org/browse/KEYCLOAK-8284 )

3. Minor UI tweak: When pressing enter or clicking on search in the admin client list, a "Searching..." prompt appears under the seearch box.
  !! Talking about UI, I saw a strange thing in the Angular code, it seems that ALL the clients are pulled from the server when accessing the client details. I added a limit to that as well as they didn't seem to be used. I don't think the client list should be pulled by anything, but maybe somebody knows details here.


The PR is submitted at https://github.com/keycloak/keycloak/pull/6320, any feedback would be appreciated!

Best regards,
Cristian Schuszter

More information about the keycloak-dev mailing list