[keycloak-user] High Utilization with Keycloak Spring Boot adapter
Thomas Raehalme
thomas.raehalme at aitiofinland.com
Tue Nov 8 00:02:59 EST 2016
Hi!
With direct access grants and Basic auth you should authenticate with the
first request, then rely on the HttpSession for the subsequent ones. Every
request with the Basic auth header opens a new SSO session within Keycloak.
Best regards,
Thomas
On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:
Hello all,
During load testing the REST API of a Spring Boot based microservice, we
noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
Keycloak (running in clustered mode), each of which was consuming 100% of 8
Xeon CPUs, while only hitting about 80 API calls per second. The load test
itself used 800 concurrent users, each doing 1 HTTP request every 100
milliseconds.
It looks like every time a POST is made to the REST API, Spring Boot makes
a call to Keycloak to (re)authenticate the user. The Keycloak logs are
filled with:
2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
connect/token
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE CLIENT
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator SUCCESS: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
Client devicereportreceiver authenticated by client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE ONLY
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
processFlow
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-username
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-username
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-password requirement: REQUIRED
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-password
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) begin
2016-11-06 11:48:07,821 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: getConnection(null,
WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-password
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-otp requirement: OPTIONAL
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
authenticator ATTEMPTED: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
client_auth_method=client-secret, username=REMOVED
2016-11-06 11:48:09,739 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) committing
2016-11-06 11:48:09,751 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]
The Spring Boot application.properties looks like
keycloak.realm=REMOVED
keycloak.realmKey=REMOVED
keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
keycloak.ssl-required=none
keycloak.resource=REMOVED
#keycloak.use-resource-role-mappings=true
keycloak.enable-basic-auth=true
keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
keycloak.cors=true
keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept,
authorization
keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
keycloak.cors-max-age=3600
keycloak.expose-token=true
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/REMOVED
keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE
keycloak.securityConstraints[1].securityCollections[0].
patterns[0]=/REMOVED/*
So my questions are:
1. Would you expect to see this kind of high utilization with my test
scenario?
2. Should the Keycloak Spring Boot adapter be reauthenticating with every
request, as opposed to caching the authentication results for a short
period of time, or just relying on normal HTTP sessions?
Br,
Alan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list