slow performance when retrieving user sessions

715 views
Skip to first unread message

Gideon Caranzo

unread,
Mar 11, 2021, 1:55:32 AM3/11/21
to Keycloak Dev
Hi Keycloak Devs,

We recently did performance testing on Keycloak 11.0.3 and noticed a drastic degradation in performance once we reached 100K user sessions. Our test used 20 user threads that performs SAML authentications without logout and we have logic that limits the max number of sessions per user.

To give you a picture on the peformance, with 20 threads Keycloak achieved 15 authentications per second. But after reaching 100K user sessions, throughput is at 3~5 per second.

After some digging, I noticed on InfinispanUserSessionProvider that the cache is mapped by user session id. Correct me if I'm wrong but it looks to me that when you retrieve all sessions for a user, keycloak iterates through all sessions in the cache and filters by user id.

For our case, this is a bottleneck because in our session limit logic, we do retrieve user sessions everytime to remove the oldest session.

I can work on this improvement and would like to know if you're open about it.

For now, we patched the user session provider by introducing a new distributed cache that maps the user and it's sessions (just the ids) directly. So when a user session is created/removed we update the cache entry accordingly. And when retrieving sessions for the user, we get the list of session ids for the user from the cache and retrieve the session object for each session id.

Let me know what you guys think.

Best regards,
Gideon

Leistert Christoph (IOC/PAU2)

unread,
Apr 9, 2021, 5:22:46 AM4/9/21
to Gideon Caranzo, Keycloak Dev

Hi Gideon,

 

Thank you for sharing your results of your performance analyses.

 

We are currently facing the same issue, as we also developed a session limiter as SPI and used the mentioned functionality to receive all sessions for a given user.

 

We would highly appreciate a fix for this issue and are willing to discuss / contribute / review.

 

Could you share the idea to fix this issue via PR? I think it would be easier to discuss it there.

 

Best regards

Christoph Leistert

Bosch IoT Permissions - Product Area User Management (IOC/PAU-PM)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Christoph...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/bf09f3fd-c289-4adf-994d-04e4827862c9n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages