Performance problem with OIDC

This topic has 4 replies, 3 voices, and was last updated 5 years, 2 months ago by Frotonis.

  • Author
  • #17791

    Hi guys,

    i am solving some delicate problem i cannot handle without help i think.

    I have configured and implemented OIDC on my OpenAM instances (two nodes). I installed and configured external CTS on OpenDJ 3.0 (Step by step from documentation).

    I made performance test using HP loader and while there are connected cca 60 people at the time (one person per 5 seconds) everything looks lets say fine. But when more users are trying to use OIDC (login works properly) and reach access_token endpoint there is unexpected delay.

    Is there anybody who faced similar problem?

    Just for curios people external CTS was installed and configured after first time performance problem was detected.

    Thanks for help


    Every token is written to CTS persistence store, default implementation OpenDJ. So you first need to use ldaptools to verify you get enough update (create, mod, delete) throughput there.

    Due to potential replication delay you can only point all OpenAM instance to a single OpenDJ instance (failover via OpenAM)

    Newer versions of (Open)AM offer stateless OIDC.



    i have just one instance of CTS store, but Configuration/DataStore is on OpenDJ 2.6.0 may be the performance problem based on this old version of OpenDJ?

    Whole performance test lineary increasing times to create authorization code, create OpenIDToken, Refresh token and so on. I feel lost now. What to do. Once per day or two i have to restart server to be able to work properly via OIDC.

    • This reply was modified 5 years, 2 months ago by Frotonis.
     Gentjan Kocaqi

    Well another thing you should do is tuning your CTS in combination of what @thalmayr-bernhard suggested to you. What is the current configuration of your CTS?


    Hi guys,

    thanks for answers. I found a problem on my LDAP instance where is stored configuration. Problem was cause by referential integrity enabled on one instance of LDAP. Because removing the existing tokens spent 10 or more seconds OpenAM instances was unable to perform search what causes destabilisation of whole OpenAM integration.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?