3

I have done some load testing against Keycloak v5.0 since we are trying to use Keycloak as SSO for our project. However the performance is quite far lower than we expect, we run Keycloak in a 12c and 24g memory vm, and the highest rps is only around 70 rps,so I am wondering any tunning can help to increate the performance?

I have tested it with this command ab -T 'application/x-www-form-urlencoded' -n 100000 -c 10000 -p post.data http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token and locust, script as below:

from locust import HttpLocust, TaskSet
import requests
import json
import time

def get_token(l):
    l.client.post("http://192.168.135.92:8080/auth/realms/test/protocol/openid-connect/token", {"client_id": "admin-cli", "username": "test", "password": "password", "grant_type": "password"}, headers={"Connection": "close"})

def get_users(l):
    requests.adapters.DEFAULT_RETRIES = 5
    r =     requests.post("http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token", data= {"client_id": "admin-cli", "username": "admin", "password": "password", "grant_type": "password"}, headers={"Connection": "close"}).text
    h =  {"Authorization": "Bearer "+json.loads(r)["access_token"], "Connection": "close"}
l.client.get("http://192.168.135.92:8080/auth/admin/realms/master/users", headers=h, verify=False)

class UserBehavior(TaskSet):
    tasks = {get_token: 1}

class WebsiteUser(HttpLocust):
    task_set = UserBehavior
sunick
  • 31

1 Answers1

2

That's because Keycloak uses PBKDF2 to hash provided password. Default is 20000 hashing iterations. So CPU is the bottleneck.

Number of hashing iterations is configurable, you can play with it under Authentication->Password Policy->Hashing Iterations to see a difference. Also you can try to benchmark same endpoint with refresh_token grant, should work much faster.

Community
  • 1
hypersolid
  • 21