Open thomasdarimont opened 1 week ago
ahus1
commented
1 week ago Hi @thomasdarimont - feel free to provide such a test. At the same time, I'm not so familiar with the DCR, so I assume you would create a lot of new clients as part of the process?
thomasdarimont
commented
1 week ago With DCR, the administrator would create a one or multiple "initial access tokes" IAT, where each IAT as an expiration time, e.g. 1 week, and is allowed to create a number of clients e.g. 10 or 100.
A test could measure the observed response times / latencies while generating 100-1k-10k clients via the client registration endpoint. Those clients could have names with a prefix to be able to find and remove them easily later.
Dynamic client registrations can be restricted via the client registration policies, which gives the Keycloak administrator some control about the sort of clients that can be created.
We should test "Anonymous client creation" as well as "Authenticated client creation"
Yes, the test will probably create a few 100 or 1000s clients. Perhaps it might make sense to test this against a dedicated dynamically generated realm that could then be removed after the test.
Description
The benchmark suite should cover this by default to ensure adequate performance.
Discussion
No response
Motivation
Dynamic Client Registration (DCR) is part of the OpenID Connect protocol suite, and Keycloak has supported it for many years.
Details
Securing Applications and Services Guide:Using the client registration service OpenID Connect dynamic client registration RFC