Request processing speed


I test the speed of obtaining access tokens using a request and get the following values on pods in the kubernetes cluster, without a base and with a base, use 4vcpu 8gb

curl -i -w “@curl-format.txt” -d “client_id=admin-cli” -d “username=keycloak” -d “password=keycloak” -d “grant_type=password”

time_connect: 0.002498s
time_appconnect: 0.000000s
time_pretransfer: 0.002583s
time_redirect: 0.000000s
time_starttransfer: 0.177327s
time_total: 0.177474s

Is 177ms normal?
What could be the reason for such slow responses?

It’s normal (and it can be worse, e. g. a few seconds). If you need better performance, then configure client and remove all unnecessary mappers, scopes, wildchar config options, permissions,… (make sure you know what you are doing, admin-cli is a system client, so I wouldn’t play with that client).

Without knowing more about your specific setup, it is hard to say. Speed for the token endpoint is generally related to your client configuration, and how much you have set up.

For reference, our token endpoint p95 is 142ms.

IMHO you have to differentiate between two various kinds of issuing a token:

  1. authenticate the user with credentials (password) and issuing the token
  2. issuing the token upon a token refresh request

The latter takes much less resources, as only a new token has to be issued, which is, as @jangaraj and @xgp already mentioned, dependent to your client config.

But the first case has additionally the task to check your password validity. And this comes also with a cost, mostly CPU, as the submitted (raw) password has to be hashed multiple times (default in Keycloak: PBKDF2 with 20k iterations), which is also fast today, but also must not be underestimated.

So, “first” requests to Keycloak to get a token, together with credentials, are most likely a bit slower, as it takes more resources, than subsequent (refresh) calls.