[keycloak-user] Permissions: Slow/complex interactions
Corentin Dupont
corentin.dupont at gmail.com
Tue Jul 24 06:54:35 EDT 2018
Hi guys,
I experience some performance issue on my API server using Keycloak.
After someone issue a GET on my API server, here is what happens:
- API server -> DB server: get requested resources
- API server -> Keycloak: get client token (to get resources)
- API server -> Keycloak: get resources (to complement DB server with
resource owner & visibility)
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
At this point the filtered resources are returned.
But this process is quite slow. I noticed a call to KC can take up to 100ms.
The complete call on the API server can take up to 600ms on my laptop, in
localhost setting.
The delays become noticeable on my UI...
With a resource SPI strategy (if developed), it should be:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
- Keycloak -> DB server: get resources
There is a little less requests. Additional gain is that resources are not
split between 2 databases.
I wonder if resources could be pushed during the permission request? Like a
"pushed claim".
This would be even more straightforward:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission and push resources
Can this work?
More information about the keycloak-user
mailing list