Performance Test IS 7.0.0

Sachin-Mamoru commented 1 year ago

Describe the issue:

Performance analysis on the product-is 6.2.0 pack to identify any performance degradation.

Performance Test - Version 01

Testing the following scenarios with Single Node 4 Core and 2 Core, Two Node 4 Core and 2 Core

Test Scenarios	Description
Authenticate Super Tenant User	Select random super tenant users and authenticate through the RemoteUserStoreManagerService.
Auth Code Grant Redirect With Consent	Obtain an access token using the OAuth 2.0 authorization code grant type.
Implicit Grant Redirect With Consent	Obtain an access token using the OAuth 2.0 implicit grant type.
Password Grant Type	Obtain an access token using the OAuth 2.0 password grant type.
Client Credentials Grant Type	Obtain an access token using the OAuth 2.0 client credential grant type.
OIDC Auth Code Grant Redirect With Consent	Obtain an access token and an id token using the OAuth 2.0 authorization code grant type.
OIDC Implicit Grant Redirect With Consent	Obtain an access token and an id token using the OAuth 2.0 implicit grant type.
OIDC Password Grant Type	Obtain an access token and an id token using the OAuth 2.0 password grant type.
OIDC Auth Code Request Path Authenticator With Consent	Obtain an access token and an id token using the request path authenticator.
SAML2 SSO Redirect Binding	Obtain a SAML 2 assertion response using redirect binding.

Performance Test - Version 02

Publish performance test results in new representation for the selected flows.

SAML2 SSO Redirect Binding
OIDC Auth Code Grant Redirect With Consent
Client Credentials Grant Type
OIDC Password Grant Type
JWT Bearer Grant Flow

Related Email Threads

[subject] Presenting our performance results in an optimal way to do capacity planning for our customers

mpmadhavig commented 11 months ago

<13-12-2023> Correlation log Analysis findings (authorize call with code grant flow)

You can find a sample correlation log of IS 6.1.0 and IS 7.0.0-rc1-SNAPSHOT from the given links.

According to the log files there are 4 sets of call we need to focus on. Please refer the above mentioned files for more information.

Initial authorize call
- The DB call are almost the same in both versions. Except for the part that the session is being saved in the new IS version in IDN_AUTH_SESSION_STORE instead of IDN_AUTH_TEMP_SESSION_STORE.
Set of network call related to Client App related data loading.
- The new IS versions uses few new DB queries with join operations. As this is a browser based call, it includes branding related queries as well.

executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID )WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID )WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID ) WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT COUNT(SP_APP.APP_NAME) FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?)|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT SP_APP.ID, SP_APP.APP_NAME, SP_APP.DESCRIPTION, SP_APP.UUID, SP_APP.IMAGE_URL, SP_APP.ACCESS_URL, SP_INBOUND_AUTH.INBOUND_AUTH_KEY, SP_INBOUND_AUTH.INBOUND_AUTH_TYPE, SP_APP.USERNAME, SP_APP.USER_STORE, SP_APP.TENANT_ID FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?) ORDER BY SP_APP.ID DESC LIMIT ?, ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID ) WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT COUNT(SP_APP.APP_NAME) FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?)|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT SP_APP.ID, SP_APP.APP_NAME, SP_APP.DESCRIPTION, SP_APP.UUID, SP_APP.IMAGE_URL, SP_APP.ACCESS_URL, SP_INBOUND_AUTH.INBOUND_AUTH_KEY, SP_INBOUND_AUTH.INBOUND_AUTH_TYPE, SP_APP.USERNAME, SP_APP.USER_STORE, SP_APP.TENANT_ID FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?) ORDER BY SP_APP.ID DESC LIMIT ?, ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT COUNT(SP_APP.APP_NAME) FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?)|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT SP_APP.ID, SP_APP.APP_NAME, SP_APP.DESCRIPTION, SP_APP.UUID, SP_APP.IMAGE_URL, SP_APP.ACCESS_URL, SP_INBOUND_AUTH.INBOUND_AUTH_KEY, SP_INBOUND_AUTH.INBOUND_AUTH_TYPE, SP_APP.USERNAME, SP_APP.USER_STORE, SP_APP.TENANT_ID FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?) ORDER BY SP_APP.ID DESC LIMIT ?, ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID ) WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT ID, NAME, DESCRIPTION FROM IDN_CONFIG_TYPE WHERE NAME = ? |jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT R.ID, R.TENANT_ID, R.NAME, R.CREATED_TIME, R.LAST_MODIFIED, R.HAS_FILE, R.HAS_ATTRIBUTE, T.NAME AS RESOURCE_TYPE, T.DESCRIPTION AS DESCRIPTION, F.ID AS FILE_ID, F.NAME AS FILE_NAME, A.ID AS ATTR_ID, A.ATTR_KEY AS ATTR_KEY, A.ATTR_VALUE AS ATTR_VALUE FROM IDN_CONFIG_RESOURCE AS R INNER JOIN IDN_CONFIG_TYPE AS T ON R.TYPE_ID = T.ID LEFT JOIN IDN_CONFIG_ATTRIBUTE AS A ON ( R.HAS_ATTRIBUTE = TRUE AND A.RESOURCE_ID = R.ID ) LEFT JOIN IDN_CONFIG_FILE AS F ON ( R.HAS_FILE = TRUE AND F.RESOURCE_ID = R.ID ) WHERE R.NAME = ? AND R.TENANT_ID = ? AND R.TYPE_ID = ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB

Below are the queries used by IS 6.1.0

executeQuery|SELECT COUNT(SP_APP.APP_NAME) FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?)|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT SP_APP.ID, SP_APP.APP_NAME, SP_APP.DESCRIPTION, SP_APP.UUID, SP_APP.IMAGE_URL, SP_APP.ACCESS_URL, SP_INBOUND_AUTH.INBOUND_AUTH_KEY, SP_INBOUND_AUTH.INBOUND_AUTH_TYPE, SP_APP.USERNAME, SP_APP.USER_STORE, SP_APP.TENANT_ID FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?) ORDER BY SP_APP.ID DESC LIMIT ?, ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT COUNT(SP_APP.APP_NAME) FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?)|jdbc:h2:./repository/database/WSO2IDENTITY_DB
executeQuery|SELECT SP_APP.ID, SP_APP.APP_NAME, SP_APP.DESCRIPTION, SP_APP.UUID, SP_APP.IMAGE_URL, SP_APP.ACCESS_URL, SP_INBOUND_AUTH.INBOUND_AUTH_KEY, SP_INBOUND_AUTH.INBOUND_AUTH_TYPE, SP_APP.USERNAME, SP_APP.USER_STORE, SP_APP.TENANT_ID FROM SP_APP LEFT JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE SP_APP.TENANT_ID = ? AND SP_APP.APP_NAME != ? AND (SP_APP.APP_NAME = ?) ORDER BY SP_APP.ID DESC LIMIT ?, ?|jdbc:h2:./repository/database/WSO2IDENTITY_DB

commonauth call
- The main different spotted was additional DB call to retrieve the tenant domain using the tenant id. Need to evaluate whether the caching layer got inactivated.

Authorize redirect call

Below DB calls were introduced in IS 7.0.0 version. The time consumed by the extra DB calls are ~1 millisecond.


executeQuery|SELECT OPERATION, SESSION_OBJECT, TIME_CREATED FROM IDN_AUTH_SESSION_STORE WHERE SESSION_ID =? AND SESSION_TYPE=? ORDER BY TIME_CREATED DESC LIMIT 1|jdbc:mysql://localhost:3306/reg_db_5?useSSL=false
executeUpdate|INSERT INTO IDN_AUTH_SESSION_STORE(SESSION_ID, SESSION_TYPE,OPERATION, TIME_CREATED, EXPIRY_TIME) VALUES (?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_5?useSSL=false

mpmadhavig commented 11 months ago

Identified flows to be fixed:

[x] Skip tenant resolving logic for super tenant user.
- https://github.com/wso2/carbon-kernel/pull/3752
[x] Skip Role Based Scope Issuer scope validation by default as this is a feature used by the APIM product when the IS is acting as the key manager.
- https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2305
- https://github.com/wso2/carbon-identity-framework/pull/5310

mpmadhavig commented 11 months ago

<15-12-2023> Correlation log Analysis findings (authorize call with code grant flow)

Initial authorize call
- [session_data.session_data_persist.session_and_temp_data_separation_enabled] config was disabled by default.
  - Fixed with https://github.com/wso2/carbon-identity-framework/pull/5335
Set of network call related to Client App related data loading. (UI related)
- No caching layer for branding preference clientt /api/server/v1/branding-preference/resolve.
  - https://github.com/wso2/carbon-identity-framework/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt.endpoint.util/src/main/java/org/wso2/carbon/identity/mgt/endpoint/util/client/BrandingPreferenceRetrievalClient.java
- All the other Data retrieval clients doesn't implement this either. But this behavior was there in the previous IS versions too.
commonauth call
- Fixed with https://github.com/wso2/carbon-kernel/pull/3752
Authorize redirect call
- The mentioned extra two queries' purpose is to clean the session entry before storing the new one.
  - https://github.com/wso2/carbon-identity-framework/pull/4478

mpmadhavig commented 10 months ago

Performance Test results IS 7.0.0 with the `latest changes added`

The following changes were done to the IS 7.0.0 alpha-SNAPSHOT before the test.

Legacy mode enabled.
IS 5.11.0 compatible configs enabled.
Removed new event handlers.
Disabled global scope validation for Role Based Scope Issuer.
Tenant resolving for Super tenant logic altered.
Session and tempt data separation enabled true by default

Result Summary

With the new changes added, the token call shows a performance improvement whereas other authorize and commonauth calls shows huge performance reduction.

mpmadhavig commented 10 months ago

Performance Test Results for `session and temp data separation enabled` in legacy mode

Added the below config in the deployment.toml file to enable the config.

[session_data.session_data_persist.session_and_temp_data_separation_enabled]
enable=true

Result Summary

Huge performance increases can be observed compared to legacy mode only results.
Authorize calls with low concurrency shows a performance drop.

mpmadhavig commented 10 months ago

Please find the comparison between the different config modes

https://docs.google.com/spreadsheets/d/1uw-pjsP9i8RlD6m8CgdOpXye4NLucH-CVpTcmIgcV2E/edit?usp=sharing

mpmadhavig commented 10 months ago

Performance Test Results Analysis based on concurrency

The below analysis done to the code grant flow authorize call.

It was observed that the average response time with zero concurrency of an authorize call of both IS-6.1.0 and IS-7.0.0 does not show much difference.
The numbers starts to deviate when the concurrency is increased.

To verify this, increased the maximum db pool count by 10 in IS 7.0.0, performance increased.

Todo: Verify this statement with data.

mpmadhavig commented 10 months ago

IS Performance Results - 2 Node 4 Core

Increased pool size
- Increased pool size to 500 as the maximum allowed concurrency is 500.
- For concurrency below 300, there are slight improvements, for 300 and above signinficant improvements can be seen as the Thread queuing is now reduced.
Scope validation removed and event listers removed cases showed the so far best results. Hence ran a test on the both cases combined.
- Combined results are lower than the independent results.

mpmadhavig commented 10 months ago

Slow query analysis

Threshold - above 500ms
SELECT APP_NAME FROM SP_APP INNER JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE INBOUND_AUTH_KEY = 'consumerKey_192' AND INBOUND_AUTH_TYPE = 'oauth2' AND SP_APP.TENANT_ID = -1234 AND SP_INBOUND_AUTH.TENANT_ID=-1234;
IS 6.1.0 also listed the above query as slow, but the frequency of listed queries were high in IS 7.0.0.
- ration 1:10
Compared to the concurrency that were set (100) the listed number of slow queries are negligible.

mpmadhavig commented 10 months ago

Thread dump Analysis

Threads on awaiting notification and timed awaiting notification states has increased in is7. On average, 176 -> 212 25 -> 42
awaiting notification is7
- Too many https-jsse-nio-9443-exec-xxx type of threads.
- Threads blocked at tomcat level.
is6
- Observed awaiting pool-xx-thread-xx
- Threads blocked at database level.
Threads are mostly blocked at tomcat level in is7.
timed awaiting notification
- Too many SQL statement cancellations. On average 32s waiting time is taken by these type of statements.

Conclusion

Check tomcat level configs.
Check db level queries behaviors.

Todo:

Conduct another slow query analysis based on average response time.

mpmadhavig commented 10 months ago

Slow query analysis - II

Concurrency - 300 Average response time of the fastest API call - ~340ms Slow query threshold - 100ms

IS 7.0.0 - Query	Average Duration (s)	Frequency
INSERT INTO IDN_AUTH_SESSION_META_DATA...	0.12	35
INSERT INTO IDN_AUTH_SESSION_APP_INFO...	0.28	32
INSERT INTO IDN_OAUTH2_TOKEN_BINDING...	0.13	31
INSERT INTO IDN_OAUTH2_ACCESS_TOKEN_SCOPE...	0.13	11
SELECT TOKEN_ID FROM IDN_OAUTH2_ACCESS_TOKEN...	0.12	6
SELECT OPERATION, SESSION_OBJECT, TIME_CREATED FROM IDN_AUTH_TEMP_SESSION_STORE...	0.23	3
SELECT UM_ROLE_NAME FROM UM_USER_ROLE, UM_ROLE, UM_USER...	0.16	5

IS 6.1.0 - Query	Average Duration (s)	Frequency
INSERT INTO IDN_AUTH_SESSION_META_DATA...	0.12	25

With the increase of the concurrency, the heavy queries such as listed above are getting slow.

mpmadhavig commented 10 months ago

Schema Analysis of the slowed tables

Query	Any changes
IDN_AUTH_SESSION_META_DATA	None
IDN_AUTH_SESSION_APP_INFO	None
IDN_OAUTH2_TOKEN_BINDING	None
IDN_OAUTH2_ACCESS_TOKEN_SCOPE	TOKEN_SCOPE field size increased from 60 -> 255
IDN_OAUTH2_ACCESS_TOKEN	New field `AUTHORIZED_ORGANIZATION VARCHAR(36) DEFAULT 'NONE' NOT NULL` , Con app key constraint updated with the new field, new index added `CREATE INDEX IDX_TBR_TS ON IDN_OAUTH2_ACCESS_TOKEN(TOKEN_BINDING_REF, TOKEN_STATE)`
IDN_AUTH_TEMP_SESSION_STORE	None

mpmadhavig commented 10 months ago

Correlation log analysis of `Send Consent Approve Request`

When doing the performance degradation analysis we used oauth code grant flow. The flow has the below 5 API calls.

Send request to authorize end point
Common Auth Login HTTP Request
Post Authentication Authorize call
Send Consent Approve Request
Get tokens

Correlation log analysis of `4. Send Consent Approve Request`

Sample Correlation log DB calls of IS 7.0.0-beta4:

|executeQuery|SELECT OPERATION, SESSION_OBJECT, TIME_CREATED FROM IDN_AUTH_TEMP_SESSION_STORE WHERE SESSION_ID =? AND SESSION_TYPE=? ORDER BY TIME_CREATED DESC LIMIT 1|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_TEMP_SESSION_STORE(SESSION_ID, SESSION_TYPE,OPERATION, TIME_CREATED, EXPIRY_TIME) VALUES (?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|execute|INSERT INTO  IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID, AUTHORIZATION_CODE, CONSUMER_KEY_ID, CALLBACK_URL, SCOPE, AUTHZ_USER, USER_DOMAIN, TENANT_ID, TIME_CREATED, VALIDITY_PERIOD, SUBJECT_IDENTIFIER, PKCE_CODE_CHALLENGE, PKCE_CODE_CHALLENGE_METHOD, AUTHORIZATION_CODE_HASH, IDP_ID) SELECT ?,?,IDN_OAUTH_CONSUMER_APPS.ID,?,?,?,?,?,?,?,?,?,?,?,IDP.ID FROM IDN_OAUTH_CONSUMER_APPS, IDP WHERE CONSUMER_KEY=? AND IDP.NAME=? AND IDP.TENANT_ID=? AND IDN_OAUTH_CONSUMER_APPS.TENANT_ID=?|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|executeBatch|INSERT INTO IDN_OAUTH2_AUTHZ_CODE_SCOPE (CODE_ID, SCOPE, TENANT_ID) VALUES (?,?,?)|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false

Sample Correlation log DB calls of IS 6.1.0:

|executeUpdate|DELETE FROM IDN_AUTH_TEMP_SESSION_STORE WHERE SESSION_ID = ? AND  SESSION_TYPE = ?|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false
|execute|INSERT INTO  IDN_OAUTH2_AUTHORIZATION_CODE (CODE_ID, AUTHORIZATION_CODE, CONSUMER_KEY_ID, CALLBACK_URL, SCOPE, AUTHZ_USER, USER_DOMAIN, TENANT_ID, TIME_CREATED, VALIDITY_PERIOD, SUBJECT_IDENTIFIER, PKCE_CODE_CHALLENGE, PKCE_CODE_CHALLENGE_METHOD, AUTHORIZATION_CODE_HASH, IDP_ID) SELECT ?,?,IDN_OAUTH_CONSUMER_APPS.ID,?,?,?,?,?,?,?,?,?,?,?,IDP.ID FROM IDN_OAUTH_CONSUMER_APPS, IDP WHERE CONSUMER_KEY=? AND IDP.NAME=? AND IDP.TENANT_ID=?|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false
|executeBatch|INSERT INTO IDN_OAUTH2_AUTHZ_CODE_SCOPE (CODE_ID, SCOPE, TENANT_ID) VALUES (?,?,?)|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false

Observations

Below new queries are getting executed:

The query

|executeUpdate|DELETE FROM IDN_AUTH_TEMP_SESSION_STORE WHERE SESSION_ID = ? AND  SESSION_TYPE = ?|jdbc:mysql://localhost:3306/reg_db_2?useSSL=false

has been replaced with

|executeQuery|SELECT OPERATION, SESSION_OBJECT, TIME_CREATED FROM IDN_AUTH_TEMP_SESSION_STORE WHERE SESSION_ID =? AND SESSION_TYPE=? ORDER BY TIME_CREATED DESC LIMIT 1|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_TEMP_SESSION_STORE(SESSION_ID, SESSION_TYPE,OPERATION, TIME_CREATED, EXPIRY_TIME) VALUES (?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_t_2?useSSL=false

Explanation:

Instead of deleting the temp session data record, the record has been marked as deleted and in a separate session data cleaner, these records are being removed. By the time of perf test execution this clean up task is not happening causing the DB to contain huge number of temp session data records.

mpmadhavig commented 10 months ago

Performance test results - 2 Node 4 Core - All improvements added + Internal session data clean up enabled by default

https://github.com/wso2/carbon-identity-framework/pull/5362

[session_data.cleanup]
enable_expired_data_cleanup = true
clean_logged_out_sessions_at_immediate_cycle = true
enable_pre_session_data_cleanup = true

Results Summary

Improvements can be seen in results. But not significant enough to be the root cause of the perf drop.

mpmadhavig commented 10 months ago

Correlation log analysis of `Post Authentication Authorize call`

6.1.0 extra queries

|executeQuery|SELECT CONSENTED_SCOPES.SCOPE, CONSENTED_SCOPES.CONSENT FROM IDN_OAUTH2_USER_CONSENT USER_CONSENT, IDN_OAUTH2_USER_CONSENTED_SCOPES CONSENTED_SCOPES WHERE USER_CONSENT.USER_ID = ? AND USER_CONSENT.APP_ID = ? AND USER_CONSENT.TENANT_ID = ? AND USER_CONSENT.CONSENT_ID = CONSENTED_SCOPES.CONSENT_ID
|executeUpdate|INSERT INTO IDN_AUTH_TEMP_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)

7.0.0 extra queries

|executeQuery|SELECT UUID FROM SP_APP INNER JOIN SP_INBOUND_AUTH ON SP_APP.ID = SP_INBOUND_AUTH.APP_ID WHERE INBOUND_AUTH_KEY = ? AND INBOUND_AUTH_TYPE = ? AND SP_APP.TENANT_ID = ? AND SP_INBOUND_AUTH.TENANT_ID=?|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeQuery|SELECT FILTEREDSCOPES.NAME, FILTEREDSCOPES.DISPLAY_NAME, FILTEREDSCOPES.DESCRIPTION, IDN_CLAIM.CLAIM_URI FROM (SELECT * FROM IDN_OAUTH2_SCOPE WHERE IDN_OAUTH2_SCOPE.TENANT_ID=? AND IDN_OAUTH2_SCOPE.SCOPE_TYPE=?) FILTEREDSCOPES LEFT JOIN IDN_OIDC_SCOPE_CLAIM_MAPPING ON IDN_OIDC_SCOPE_CLAIM_MAPPING.SCOPE_ID = FILTEREDSCOPES.SCOPE_ID LEFT JOIN IDN_CLAIM ON IDN_CLAIM.ID = IDN_OIDC_SCOPE_CLAIM_MAPPING.EXTERNAL_CLAIM_ID LEFT JOIN IDN_CLAIM_DIALECT ON IDN_CLAIM_DIALECT.ID = IDN_CLAIM.DIALECT_ID WHERE FILTEREDSCOPES.TENANT_ID = ? AND (IDN_CLAIM_DIALECT.TENANT_ID = ? AND IDN_CLAIM_DIALECT.DIALECT_URI = ?) OR (IDN_CLAIM_DIALECT.DIALECT_URI IS NULL AND IDN_CLAIM_DIALECT.TENANT_ID IS NULL)|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeQuery|SELECT MAIN_APP_ID FROM SP_SHARED_APP WHERE SHARED_APP_ID = ?|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeQuery|SELECT POLICY_ID, SCOPE_NAME FROM AUTHORIZED_API JOIN AUTHORIZED_SCOPE ON AUTHORIZED_API.APP_ID = AUTHORIZED_SCOPE.APP_ID AND AUTHORIZED_API.API_ID = AUTHORIZED_SCOPE.API_ID WHERE AUTHORIZED_API.APP_ID = ?|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeQuery|SELECT ID, NAME, DISPLAY_NAME, DESCRIPTION, API_ID, TENANT_ID FROM SCOPE WHERE  TENANT_ID = ?|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeQuery|SELECT CONSENTED_SCOPES.SCOPE, CONSENTED_SCOPES.CONSENT FROM IDN_OAUTH2_USER_CONSENT USER_CONSENT, IDN_OAUTH2_USER_CONSENTED_SCOPES CONSENTED_SCOPES WHERE USER_CONSENT.USER_ID = ? AND USER_CONSENT.APP_ID = ? AND USER_CONSENT.TENANT_ID = ? AND USER_CONSENT.CONSENT_ID = CONSENTED_SCOPES.CONSENT_ID|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false
|executeUpdate|INSERT INTO IDN_AUTH_TEMP_SESSION_STORE(SESSION_ID, SESSION_TYPE, OPERATION, SESSION_OBJECT, TIME_CREATED, EXPIRY_TIME, TENANT_ID) VALUES (?,?,?,?,?,?,?)|jdbc:mysql://localhost:3306/reg_db_1?useSSL=false

Observations

The extra queries listed in 7.0.0 logs are related to new Authorization model.
Most of the queries are expensive table join queries.

Conclusion

The delay is expected.
But the following improvements can be done to optimize the logic.
- https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2312
- https://github.com/wso2/product-is/issues/18860

mpmadhavig commented 10 months ago

Perf analysis for https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2312

In this patch we drop scope validation for openid scopes and invalid scopes.
Any user who sends a non-openid registered scope will go through this flow.
- This perf drop is expected.

mpmadhavig commented 10 months ago

Next Task plan

[x] Stabilize master branch of performance-is repository.
- https://github.dev/wso2/performance-is/pull/150
[x] Run the same test for all 4 node configurations.
[x] Run the full test plan for 2 node 4 core config and do the analysis.

mpmadhavig commented 9 months ago

Perf analysis for https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2324

In this patch removed unnecessary scope validation logic added.
Showed a performance increase since we managed to reduce 2 db queries.

mpmadhavig commented 9 months ago

Perf analysis for https://github.com/wso2/carbon-identity-framework/pull/5404

In this patch we execute application role retrieval related logic only if role claim is present in claim mappings.
As we do not request any roles in our test cases, showed a performance increase.

mpmadhavig commented 8 months ago

Action Items

[x] Collect Test results for GA pack - Old Representation.
[x] Collect Test results for GA pack - New Representation.
[ ] Evaluate the test results deviation of different test runs.
[x] https://github.com/wso2/product-is/issues/19855
[ ] https://github.com/wso2/product-is/issues/19977
[ ] https://github.com/wso2/product-is/issues/18936
[x] https://github.com/wso2/performance-is/pull/158
[ ] https://github.com/wso2/product-is/issues/20081

isharak commented 3 days ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!

wso2 / product-is