Any workaround for initial user login time take very long time (from several seconds up to several minutes) due to many groups assocated?

Hi all,

In my use case, there are:

  1. Many user (around 70K) (imported from active directory)
  2. Many groups (around 25K) (imported from active directory)

Some senior/super users are associated with many groups (say 200 groups).

Currently, we hit the issue that, when user login keycloak and the users/groups/roles not already loaded into the internal infinispan cache (or being evicted), the user take several seconds to several minutes for login. This is due to keycloak firing many SQL to retrieve the group/role information (1 group/roles 1 SQL).

It seems this is due to the following bugs:

  1. [KEYCLOAK-19230] Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted - Red Hat Issue Tracker
  2. [KEYCLOAK-17349] Performance issue with large number of LDAP groups - Red Hat Issue Tracker

While it seems keycloak team will not fix the bug in near future, i want to seek for your advice for any workaround (or even suggest way for code to fix it) ? Spending minutes on the login flow is not acceptable by users…

thank you.

Configure infinispan, so Keycloak will have all details there all the time. E. g. external infinispan with persistent storage. Infinispan will have another types of problems, e. g. slow startup due to data preloading,…
Search for infinispan in the keycloak-user mailing list to see more details about infinispan problems and tweaks.

@jangaraj ,

i have a look of the infinispan but:

  1. the external infinispan feature (cross-site replication mode seems in technology preview stage for several years!), i am worried using it in production environment.
  2. tuning the size of the infinispan caches (e.g. ‘realms’, ‘users’…) don’t help as the bottleneck is the initial groups/roles loading from DB (many SQL fired). I have an idea to pre-load groups/roles on server start-up (and periodically pull groups/roles from DB as they maybe evicted from cache). this may alleviate the problem?..i want to seek for advice on how to implement (preload data into infinispan) for a try…

Keycloak uses embedded infinispan by default. I’m not saying to use cross site replication (hot rod infinispan). Only external infinispan cluster, which you will manage and which will be external from the Keycloak point of view. Did you read recommended mailing list, e.g. https://groups.google.com/g/keycloak-user/c/Z-gbZ8TjIqM/m/2abnThrBDwAJ
You can configure persistence and preload - but again that will introduce other problems - e.g. infinispan cluster will be starting a few minutes. I really recommend to search mailing list for keyword ‘inifnispan’ to see user experience.

i have briefly search and check the mailing list…but all infinispan topics are about how to support how many concurrent user/offline sessions…etc…seems no tweaks can relief/solve the initial cache missing penality…(a simple user login that take minutes is toooo long !)…

i also have a look of the keycloak source code, it seems (when the user/groups/roles isn’t already loaded into infinispan), there is always have such slow login problem (if user have hundreds of groups/roles associated) due to excessive SQL fired to load data from DB.

the only way i think i can relief the situation is to pre-load the groups/roles into infinspan (on server startup, though it will cause some keycloak startup delay) and try to keep them in the infinispan cache as long as possible…

anyway, thx for your comment.