.svg)
.svg)
On June, Keycloak unveiled its 25th iteration. The release, detailed in the official documentation, brings an advanced algorithm and heightened iteration for password hashing. The previous password algorithm (PBKDF2) caused major performance losses, as detailed in our article on Keycloak v24. To improve the performance lost with the previous version, the hashing mode has been modified using Argon2. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak.
As we’ve done in our previous article, for the v24 release, we did some performance tests to ensure that what we brought (performance issues) for the v24 are now corrected with this new algorithm as described in the Keycloak release note.
Our tests are the followings :
We are going to create 1000 users without concurrency, this point will help us to check the behavior of our instance with the Argon2 algorithm.
1000 users creation
As a reminder, here are the duration we’ve brought in the previous article for the users creation :
With Argon2 the user creation is made in ~6 min which means that we came back to the v23 timings with this new algorithm. Moreover, the v25 provides us a feature preview which keeps the user sessions in the database. This will give us the opportunity to keep the users sessions after the future migrations. Let’s try to create 1000 users with this feature preview.
With this feature, the creation takes 8 minutes. Which is still way faster than the v24.
These tests confirm that Argon2 answers perfectly to the issue raised on the previous Keycloak version. Creating 1000 users, even with the data persistence, is way more efficient than the v24 (even by changing the hashing method).
We’ve conducted testing on a high-activity v25 Keycloak cluster with the scenario we’ve described above. On the two instances, we observed several metrics, including CPU usage and response time:
Despite high activity, the cluster maintains excellent performance. For comparison, refer to the v24 article we published, where the CPU usage was significantly higher with only one-third of the activity.
As noted in the Keycloak release notes, Argon2 addresses the performance issues identified in v24, as discussed in the abovementioned article. Even with the addition of the session persistence feature preview, which is somewhat more resource-intensive, we observed the following metrics:
First consult our documentation to find out all the prerequisites for this upgrade, and then contact our support team to upgrade.
