Maximum number of clients (applications) in a realm

I am worried about the maximum number of clients in a realm.Also about the maximum number of permissions that can be assigned to a user. Is keycloak has any limitation on these ?

Thanks & Regards
Jasmel

Hi @jasmelpc
did you found some limitations on clients? I’m also trying to find ount whethere there are some limitations.
We will crate probably > 10000 clients with service accounts so I’m wondering it this performs well.

As far as I know there are no known limitations to the number of clients.
One suggesting is to give Keycloak as much memory as you can so things can be cached and accessed quickly.

Unfortunately there is a limitation which we recently found :frowning:
https://issues.redhat.com/browse/KEYCLOAK-14329

Too bad, hope they have time to investigate this soon.
I’m curious, what was the memory consumption once you hit that limit?

There was no problem with memory at least not at my computer. You can test it, there’s attached jmeter script and docker-compose.
I had 100k users and then added 10k clients. After 10k clients new user/client creation takes ~50 seconds.

Just tried it out and have the same result, after 10k clients creation is very slow and I am getting a lot of Unauthorized errors when trying to create a client, almost looks like token time out before they are getting used.

On first guess it could be that some things need to be tweaked.
It could be that the cache has a certain limit and it’s trying to put one in while invalidating an other.
You can take a look at the standalone-ha.xml file under the <subsystem xmlns="urn:jboss:domain:infinispan:9.0"> and tweak those values somewhat

Yes I was looking into it, but at first look there’s no simple pointer to clients. So I hope somebody from dev team responds to the ticket and provides some solution for this.

Looking at the RealmCacheSession class it seems that clients are added to the realm cache.
I’ve looked a bit further and it seems to also create a service account user and adds that to the users cache :stuck_out_tongue:
It wouldn’t be a surprise that this is cache related.

Anywho, good luck and I hope you will have a solution soon.

update

I’ve done some tests and after tweaking the infinispan subsystem in my standalone-ha.xml file and setting the object-memory sizes higher than the default 10000 value this seems to improve the situation with noticeable difference. I’ve changed the values to 100000,
I’m already over 25000 clients now without seeing any problems or slowdown.

2 Likes

that’s great, I’ve tested this recently and it works. I’m just curious what whethere it has impact to other parts of system. I guess the memory footprint will be one thing.

ok so I’ve increased the cache size to 100k, but now after 30k of clients and 250k users, it’s again really slow. I guess that keycloak is really not prepared for high number of clients :frowning:

That realm cache keeps also other objects e.g. roles, groups. It is not just about number of clients. IMHO you have again reached 100k object limits. You can try to increase limit again. Some experienced users even build own external infinispan clusters and use that. I wouldn’t say that Keycloak is really not prepared for high number of clients. Only default configuration (which works fine for 99% of Keycloak users) is not prepared for that.

Keep investigating and keep us updated with your results. :+1:

@jangaraj well it would be nice if this kind of caching is documented somewhere so we can prepare our KC to sizing we require. I know about this https://www.keycloak.org/docs/latest/server_installation/#cache-configuration but it’s really hard to configure “some” number.

For users there is not needed any change, it just works with default setup. But for clients there could be some advice how to properly configure the caching because in that cache are also roles/groups/… as you mentioned. Or maybe clients should use same caching mechanism as users do.

I wish the same :-). At least nice to have some warning in the logs or stats output from the infinispan so inexperienced infinispan user will know that is a problem with cache configuration (because it has reached some own predefined limits).

Changed realm cache to 500k but that didn’t solved the issue. After 30k of clients (with no additional users) it is slow again :frowning:

Hmm that’s weird. Currently I have ~38k clients. If I run jmeter tests in one thread it’s relativelly ok. However if I run tests in 10 threads I’m getting error with postgre connection. So maybe if I can eliminate this issue I can move forward…any ideas?

keycloak_1  | 10:23:20,333 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) SQL Error: 0, SQLState: 08003
keycloak_1  | 10:23:20,380 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) This connection has been closed.
keycloak_1  | 10:23:20,381 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-31) Uncaught server error: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement
keycloak_1  | 	at org.keycloak.keycloak-model-jpa@10.0.1//org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
keycloak_1  | 	at org.keycloak.keycloak-model-jpa@10.0.1//org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
keycloak_1  | 	at javax.persistence.api@2.2.3//com.sun.proxy.$Proxy92.flush(Unknown Source)
keycloak_1  | 	at org.keycloak.keycloak-model-jpa@10.0.1//org.keycloak.models.jpa.JpaRealmProvider.addClient(JpaRealmProvider.java:605)
keycloak_1  | 	at org.keycloak.keycloak-model-jpa@10.0.1//org.keycloak.models.jpa.JpaRealmProvider.addClient(JpaRealmProvider.java:589)
keycloak_1  | 	at org.keycloak.keycloak-model-infinispan@10.0.1//org.keycloak.models.cache.infinispan.RealmCacheSession.addClient(RealmCacheSession.java:498)
keycloak_1  | 	at org.keycloak.keycloak-model-infinispan@10.0.1//org.keycloak.models.cache.infinispan.RealmAdapter.addClient(RealmAdapter.java:743)
keycloak_1  | 	at org.keycloak.keycloak-server-spi-private@10.0.1//org.keycloak.models.utils.RepresentationToModel.createClient(RepresentationToModel.java:1280)
keycloak_1  | 	at org.keycloak.keycloak-server-spi-private@10.0.1//org.keycloak.models.utils.RepresentationToModel.createClient(RepresentationToModel.java:1274)
keycloak_1  | 	at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.managers.ClientManager.createClient(ClientManager.java:78)
keycloak_1  | 	at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.resources.admin.ClientsResource.createClient(ClientsResource.java:190)
keycloak_1  | 	at jdk.internal.reflect.GeneratedMethodAccessor519.invoke(Unknown Source)
keycloak_1  | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak_1  | 	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:535)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:424)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:385)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:387)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:356)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
keycloak_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.11.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
keycloak_1  | 	at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
keycloak_1  | 	at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
keycloak_1  | 	at org.wildfly.extension.undertow@19.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
keycloak_1  | 	at io.undertow.servlet@2.1.0.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
keycloak_1  | 	at io.undertow.core@2.1.0.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
keycloak_1  | 	at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
keycloak_1  | 	at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
keycloak_1  | 	at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
keycloak_1  | 	at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
keycloak_1  | 	at java.base/java.lang.Thread.run(Thread.java:834)
keycloak_1  | Caused by: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1478)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1458)
keycloak_1  | 	at jdk.internal.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
keycloak_1  | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak_1  | 	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak_1  | 	at org.keycloak.keycloak-model-jpa@10.0.1//org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
keycloak_1  | 	... 82 more
keycloak_1  | Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:186)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:81)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3173)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3706)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:90)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1472)
keycloak_1  | 	... 87 more
keycloak_1  | Caused by: org.postgresql.util.PSQLException: This connection has been closed.
keycloak_1  | 	at org.postgresql.jdbc@42.2.5//org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:783)
keycloak_1  | 	at org.postgresql.jdbc@42.2.5//org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1680)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:761)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:747)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.WrappedConnection$4.produce(WrappedConnection.java:478)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.WrappedConnection$4.produce(WrappedConnection.java:476)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.SecurityActions.executeInTccl(SecurityActions.java:97)
keycloak_1  | 	at org.jboss.ironjacamar.jdbcadapters@1.4.20.Final//org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:476)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:90)
keycloak_1  | 	at org.hibernate@5.3.15.Final//org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:176)
keycloak_1  | 	... 96 more

You could tweak the datasource (timeouts, pool, …), use a more recent PostgreSQL version, https://docs.wildfly.org/19.1/Admin_Guide.html#DataSource

Is the KC instance clustered?


This 10,000 number is mentioned in the documentation of caching Configuring distributed caches - Keycloak. Please read the highlighted part