Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 4.8.3.Final, 10.0.2
    • Fix Version/s: 11.0.0
    • Component/s: Core, Database
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      1. setup keycloak 4.8 or keycloak 10.0.2 docker containers configured for MySQL 5.6
      2. create a realm
      3. create a client
      4. turn on UMA for the realm
      5. turn on UMA for the client
      6. create ~120k users
      7. create ~120k resources that are 1:1 for the users in the client
      8. create read scope & write scope for UMA in the client
      9. add 2 user policies per resource one that will manage read scope & one for write scope
      10. create a keycloak group and add users to the group
      11. create a group policy per resource
      12. execute the UMA flow
      13. assert that the POST token endpoint when exchanging the access_token+permission ticket is painfully slow

      These steps are highly specific to the UMA policies that I'm doing but I'm pretty sure it's reproducible by just loading up resources, policies and permissions.

      Show
      setup keycloak 4.8 or keycloak 10.0.2 docker containers configured for MySQL 5.6 create a realm create a client turn on UMA for the realm turn on UMA for the client create ~120k users create ~120k resources that are 1:1 for the users in the client create read scope & write scope for UMA in the client add 2 user policies per resource one that will manage read scope & one for write scope create a keycloak group and add users to the group create a group policy per resource execute the UMA flow assert that the POST token endpoint when exchanging the access_token+permission ticket is painfully slow These steps are highly specific to the UMA policies that I'm doing but I'm pretty sure it's reproducible by just loading up resources, policies and permissions.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Hello,

      I'm working on migrating our authorization over from a custom solution to Keycloak UMA. However, locally after I have migrated ~120k resources over with ~475k policies. When I now try to exchange an access token+permission ticket for an RPT token using POST /auth/realms/${keycloak_realm}/protocol/openid-connect/token with grant-type uma-ticket, the 1st call is taking ~15-30 seconds to complete.

      Here's the discourse thread that I started which has more information, https://keycloak.discourse.group/t/post-token-uma-ticket-scalability/3484

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor Silva
                Reporter:
                zambonilli Mike Lohmeier
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: