Generating a token through the token endpoint is slow (about 200 ms in average). Is it normal?


I noticed that generating a token through the token endpoint (ex: http://localhost:8080/auth/realms/test/protocol/openid-connect/token) takes about 200 ms.

Is is normal that it is so slow ? 200 ms seems quite big.
I’ve just created a test realm and a test client, leaving everything on the default values.

It is normal. Especially, first time when data (e.g. roles) are not cached:

But subsequent calls are usually faster, because cache:

Tracing will help you to undestand more the perf issues - example GitHub - jangaraj/keycloak-with-opentelemetry

Hum well that’s pretty weird because for me the first time it takes about 600 ms, then all subsequent calls takes 180 ms minimum (200 ms on average):

I’m using Keycloak 15.0.1.
Just after creating the realm I created the user and that’s all. So I have a single user and no roles defined.

As I said - yes token endpoint is slow. Your slowness is 600ms. That’s nothing. I have had 5s+ (full scope, roles from LDAP, 1k+ clients), so some service providers (hi AWS ALB with OIDC) was failing.

“So I have a single user and no roles defined.” Yeah, but by default you have mappers/scope which still try to find roles, so there are still SQL executed, which are trying to get roles.

If you are asking how to improve token performance, then search forum Search results for 'slow token' - Keycloak it was already discussed - disable full scope, remove all uneccesary roles, scopes, mappers, … Default Keycloak settings are trying to cover the most user cases and they are not focused on the best token endpoint performance.

Real world numbers

Setup: Vanilla Keycloak 15.0.2, OIDC client with default settings vs minimal settings
avg 234ms vs 165ms for remote token enpoint response time (tested with Direct Access Grant flow) - 30% better performance with minimal settings.