Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
We have an issue where the endpoint keycloak: POST /realms/{realm}/protocol/{protocol}/token is taking upwards of 8 seconds to complete causing timeouts on some of our clients
We enabled tracing and it seems to be the function TokenEndpoint.processGrantRequest where the latency is occurring.
We have recently upgraded from this version (from a very old version 18) where this error did not occur
output of kc.sh show-config
Appending additional Java properties to JAVA_OPTS
Current Mode: production
Current Configuration:
kc.bootstrap-admin-password = ******* (ENV)
kc.bootstrap-admin-username = <admin_user> (ENV)
kc.cache = ispn (keycloak.conf)
kc.cache-stack = kubernetes (keycloak.conf)
kc.db = postgres (keycloak.conf)
kc.db-password = ******* (keycloak.conf)
kc.db-url = jdbc:postgresql://keycloak-postgres.keycloak.svc.cluster.local:5432/<database_name>?currentSchema=public (keycloak.conf)
kc.db-username = <database_name> (keycloak.conf)
kc.features = scripts,token-exchange (ENV)
kc.health-enabled = false (keycloak.conf)
kc.hostname = https://auth.example.com/auth (keycloak.conf)
kc.hostname-admin = https://keycloak.example.com:443/auth (keycloak.conf)
kc.hostname-strict = false (keycloak.conf)
kc.http-enabled = true (keycloak.conf)
kc.http-port = 8080 (keycloak.conf)
kc.http-relative-path = /auth/ (keycloak.conf)
kc.https-port = 8443 (keycloak.conf)
kc.log-console-output = default (keycloak.conf)
kc.log-level = WARN (keycloak.conf)
kc.metrics-enabled = true (keycloak.conf)
kc.provider.file.custom-policy-spi-1.0.2.jar.last-modified = 1744191322222 (Persisted)
kc.provider.file.keycloak-metrics-spi-7.0.0.jar.last-modified = 1744191321450 (Persisted)
kc.proxy-headers = xforwarded (keycloak.conf)
kc.spi-admin-realm = master (ENV)
kc.spi-connections-infinispan-quarkus-stack = kubernetes (keycloak.conf)
kc.spi-hostname-v2-hostname = https://auth.example.com/auth (keycloak.conf)
kc.spi-hostname-v2-hostname-admin = https://keycloak.example.com:443/auth (keycloak.conf)
kc.spi-hostname-v2-hostname-strict = false (keycloak.conf)
kc.tracing-enabled = true (ENV)
kc.tracing-endpoint = http://jaeger-inmemory-collector:4317 (ENV)
kc.version = 26.1.3 (SysPropConfigSource)
Version
v26.1.3
Regression
- The issue is a regression
Expected behavior
We would assume this call should be fairly quick
Actual behavior
It takes a long time
How to Reproduce?
We are running the bitnami helm chart but use the Keycloak image
We install this via ArgoCD in three environments (all the environments are having this issue)
We have it behind Traefik but we have internal services that call Keycloak on the cluster dns name http://keycloak.keycloak.svc.cluster.local:8080
Anything else?
We do have a custom Policy installed, although Im not sure if that would have an effect?
we also seem to get this Warning for these requests:
Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests