[keycloak-user] Performance

Rainer-Harbach Marian marian.rainer-harbach at apa.at
Wed Mar 28 11:58:48 EDT 2018


Hi Daniel!

On 2018-03-27 09:57, Hammarberg, Daniel wrote:
> Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower.

How are you importing the users and how long is "too long"? I created my 
five million test users using the admin REST API in one overnight run 
(even when Keycloak was configured to use the default of 27500 hashing 
iterations). I didn't observe any slowdown during the course of that run.

> Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security?

Well, it would be problematic if your database was stolen before every 
user really did change their password.

If you force users to do a password reset anyway an alternative might be 
to import the users without any credentials. Then there would be nothing 
to hash. Users would gain access to their accounts by using the 
forgotten password feature.

Best regards,
Marian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3853 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180328/46c2b58f/attachment.bin 


More information about the keycloak-user mailing list