Keycloak v24 performance issues

April 9, 2024

On March 3rd, Keycloak unveiled its 24th iteration, marking a significant milestone in its development. The release, detailed in the official documentation, brings an advanced algorithm and heightened iteration for password hashing. Although this new feature brings more security, it will, for sure, need more resources and time to execute some requests. 

To verify this statement, we conducted a series of tests:

  • Created 1000 users without any concurrency.
  • Implemented user scenarios involving authentication, retrieving information with the token, and introspecting the token under low activity conditions.
  • Executed these user scenarios under higher activity levels.

Throughout these tests, we compared the results, focusing on:

  • Response time
  • Number of requests

We performed a comparative analysis among versions 23, 24.0.1, and 24.0.2 to evaluate any discrepancies.

Create 1000 Users

First of all, we are going to create 1000 users. The point here is to check if the new hashing method heads to a big change in term of response time due to the number of iterations (27500 in v23 and 210000 in v24) and the hashing algorithm (sha256 in v23 vs sha512 in v24)

v23

Time: ~ 6 minutes

Average response time: ~ 180ms

v24.0.1

Time: ~ 19 minutes

Average response time: ~ 600ms

V24.0.2

Time: ~19 minutes

Average response time: 750ms

V24.0.2 with the v23 hashing method

Let's modify the hashing method of our deployment to align with the v23 version and observe the outcomes.

Time : ~10min

Average response time: 200ms

Based on these results, it's evident that the v24 deployment, utilizing the v23 hashing method, tends to converge towards the statistics observed with the v23 deployment.

Performance testing

We will now conduct a low-activity test on the deployments to evaluate the disparities between the two versions.

Low activity

V23

v24.0.1

v24.0.2

In a low-activity scenario, the v23 deployment sends a response approximately three times faster than the v24 deployment. Let's assess whether this difference remains consistent under higher activity levels.

Bigger activity

To make sure these differences could lead to some latency, let’s try with a bigger activity on our deployments and begin an analysis of the response time and CPU utilization of our instances.

V23

V24.0.1

V24.0.2

As observed in the low-activity graphs, there exists a significant disparity between the two versions. Once again, the response time is considerably higher in v24, rendering the versions incomparable. This time, let's examine the CPU usage. In the v24 version, the increased hashing iterations are consuming more resources, overwhelming the instances. Similar to the user creation tests, let's compare this with a v24 deployment using the v23 hashing method.

V24.0.2 with the v23 hashing method

Here, approximately 25% of the CPU is utilized, similar to that of the v23 deployment. Additionally, the response time remains comparable. However, the new hashing method introduces latency, ultimately straining the instance and causing overwhelming resource consumption.

But don't panic: Keycloak v25 announced already working on these concern (Keycloak v25) & of course Cloud IAM got you covered. As usual, the v25 will be available promptly on Cloud IAM.

Stay tuned ✨

More about Cloud-IAM
Written by
Last update :
Bryan BRETON
April 9, 2024