[keycloak-user] Permissions: Slow/complex interactions

Pedro Igor Silva psilva at redhat.com
Tue Jul 24 07:51:51 EDT 2018 

On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I experience some performance issue on my API server using Keycloak.
> After someone issue a GET on my API server, here is what happens:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get client token (to get resources)
> - API server -> Keycloak: get resources (to complement DB server with
> resource owner & visibility)
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission (to filter resources)
> At this point the filtered resources are returned.
>
> But this process is quite slow. I noticed a call to KC can take up to
> 100ms.
> The complete call on the API server can take up to 600ms on my laptop, in
> localhost setting.
> The delays become noticeable on my UI...
>

Are you able to confirm the step(s) spending more time to process ? If when
obtaining client tokens, resources or during evaluation ?

Also, could you elaborate more what this step is doing: "- API server ->
Keycloak: get resources (to complement DB server with
resource owner & visibility)" ?


>
> With a resource SPI strategy (if developed), it should be:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission (to filter resources)
> - Keycloak -> DB server: get resources
>
> There is a little less requests. Additional gain is that resources are not
> split between 2 databases.
>
> I wonder if resources could be pushed during the permission request? Like a
> "pushed claim".
> This would be even more straightforward:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission and push resources


> Can this work?
>

I think this is an area we might want to improve in order to allow
evaluating permissions solely based on claims pushed to the server. That
means you won't need to manage resources in the server but rely on policies
to process the "pushed claims".

+1



> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list