On March 3rd, Keycloak unveiled its 24th iteration, marking a significant milestone in its development. The release, detailed in the official documentation, brings an advanced algorithm and heightened iteration for password hashing. Although this new feature brings more security, it will, for sure, need more resources and time to execute some requests.
To verify this statement, we conducted a series of tests:
Throughout these tests, we compared the results, focusing on:
We performed a comparative analysis among versions 23, 24.0.1, and 24.0.2 to evaluate any discrepancies.
First of all, we are going to create 1000 users. The point here is to check if the new hashing method heads to a big change in term of response time due to the number of iterations (27500 in v23 and 210000 in v24) and the hashing algorithm (sha256 in v23 vs sha512 in v24)
Time: ~ 6 minutes
Average response time: ~ 180ms
Time: ~ 19 minutes
Average response time: ~ 600ms
Time: ~19 minutes
Average response time: 750ms
Let's modify the hashing method of our deployment to align with the v23 version and observe the outcomes.
Time : ~10min
Average response time: 200ms
Based on these results, it's evident that the v24 deployment, utilizing the v23 hashing method, tends to converge towards the statistics observed with the v23 deployment.
We will now conduct a low-activity test on the deployments to evaluate the disparities between the two versions.
In a low-activity scenario, the v23 deployment sends a response approximately three times faster than the v24 deployment. Let's assess whether this difference remains consistent under higher activity levels.
To make sure these differences could lead to some latency, let’s try with a bigger activity on our deployments and begin an analysis of the response time and CPU utilization of our instances.
V24.0.1
V24.0.2
As observed in the low-activity graphs, there exists a significant disparity between the two versions. Once again, the response time is considerably higher in v24, rendering the versions incomparable. This time, let's examine the CPU usage. In the v24 version, the increased hashing iterations are consuming more resources, overwhelming the instances. Similar to the user creation tests, let's compare this with a v24 deployment using the v23 hashing method.
V24.0.2 with the v23 hashing method
Here, approximately 25% of the CPU is utilized, similar to that of the v23 deployment. Additionally, the response time remains comparable. However, the new hashing method introduces latency, ultimately straining the instance and causing overwhelming resource consumption.
But don't panic: Keycloak v25 announced already working on these concern (Keycloak v25) & of course Cloud IAM got you covered. As usual, the v25 will be available promptly on Cloud IAM.
Stay tuned ✨