Keycloak v25 - improved performance

October 29, 2024

On June, Keycloak unveiled its 25th iteration. The release, detailed in the official documentation, brings an advanced algorithm and heightened iteration for password hashing. The previous password algorithm (PBKDF2) caused major performance losses, as detailed in our article on Keycloak v24. To improve the performance lost with the previous version, the hashing mode has been modified using Argon2. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak.

As we’ve done in our previous article, for the v24 release, we did some performance tests to ensure that what we brought (performance issues) for the v24 are now corrected with this new algorithm as described in the Keycloak release note.

Our tests are the followings : 

  • Created 1000 users without any concurrency.
  • Implemented user scenarios involving authentication, retrieving information with the token, and introspecting the token under high activity levels.

Create 1000 Users

We are going to create 1000 users without concurrency, this point will help us to check the behavior of our instance with the Argon2 algorithm.

1000 users creation

As a reminder, here are the duration we’ve brought in the previous article for the users creation : 

  • KC 23 : 6 min
  • KC24 : 19 min
  • KC 24 with a different hashing algorithm : 10 min

With Argon2 the user creation is made in ~6 min which means that we came back to the v23 timings with this new algorithm. Moreover, the v25 provides us a feature preview which keeps the user sessions in the database. This will give us the opportunity to keep the users sessions after the future migrations. Let’s try to create 1000 users with this feature preview.

With this feature, the creation takes 8 minutes. Which is still way faster than the v24. 

These tests confirm that Argon2 answers perfectly to the issue raised on the previous Keycloak version. Creating 1000 users, even with the data persistence, is way more efficient than the v24 (even by changing the hashing method).

Performance testing

We’ve conducted testing on a high-activity v25 Keycloak cluster with the scenario we’ve described above. On the two instances, we observed several metrics, including CPU usage and response time:

  • CPU kc1: ~85%
  • CPU kc2: ~60%
  • Response time: ~150ms

Despite high activity, the cluster maintains excellent performance. For comparison, refer to the v24 article we published, where the CPU usage was significantly higher with only one-third of the activity.

As noted in the Keycloak release notes, Argon2 addresses the performance issues identified in v24, as discussed in the abovementioned article. Even with the addition of the session persistence feature preview, which is somewhat more resource-intensive, we observed the following metrics:

  • Better response time than v24
  • Lower CPU usage than v24

Want to upgrade your Keycloak?

First consult our documentation to find out all the prerequisites for this upgrade, and then contact our support team to upgrade.

Written by
Last update :
Bryan Breton
October 29, 2024

The latest Keycloak news delivered straight to your inbox

Subscription successful!
You won't miss a thing.
Oops! Something went wrong while submitting the form.

Our last news

Newsletter

Keycloak news september

Newsletter

Keycloak news of November

Release note

Keycloak V26 now available for all our customers