View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006140SOGoBackend Generalpublic2025-07-16 10:362025-07-17 06:42
Reporterjordi Assigned Toqhivert  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.12.2 
Summary0006140: Performance degradation when using oidc authentication
Description

We switched our production instance to authenticate via OIDC, but retaining our LDAP user and group sources in order to have groups and caldav access.

After doing this, browsing the web app was very slow, in a magnitude of 4x slower. For example, switching from 1 month to the next one in hte calendar view went from ~150ms to ~800ms.

Just going back to the normal auth made the performance go back to normal.

IdP is based on Keycloak.

TagsNo tags attached.

Activities

qhivert

qhivert

2025-07-16 11:02

administrator   ~0018303

Hello,
Can you give me your sogo's onpenid config?
Have you set SOGoOpenIdTokenCheckInterval to a specific value?
Do you know what is the lifespan of the access_token?
jordi

jordi

2025-07-16 11:28

reporter   ~0018304

Hey,

//  SOGoAuthenticationType = openid;
//  SOGoOpenIdConfigUrl = "https://sso.example.com/realms/example/.well-known/openid-configuration";
//  SOGoOpenIdClient = sogo;
//  SOGoOpenIdClientSecret = supersecret;
//  SOGoOpenIdScope = "openid profile email";
//  SOGoOpenIdEmailParam = email;
//  SOGoOpenIdLogoutEnabled = YES;
//  SOGoXSRFValidationEnabled = NO;

We don't set SOGoOpenIdTokenSetInterval to any value, we use whatever is the default.

Our access token lifespan is currently set to 6 hours.

image.png (27,119 bytes)   
image.png (27,119 bytes)   
qhivert

qhivert

2025-07-16 11:55

administrator   ~0018305

Could you try to set
SOGoOpenIdTokenSetInterval = 60;
Its default value is 0meaning each request made to the backend, sogo will check the validity of the token (meaning request to the openid server). And sogo can make a lot of request to show a page.
This param tell sogo the number of second it can wait to revalidate a token to avoid all this openid requests. Maybe it will fix the latency.
jordi

jordi

2025-07-16 12:20

reporter   ~0018306

Oh, doh. I wasn't aware the interval's default was zero facepalm. After setting it to 60, things are apparently holding up, in the staging server. Thanks for the pointer, I think we can close this for now!

Issue History

Date Modified Username Field Change
2025-07-16 10:36 jordi New Issue
2025-07-16 11:02 qhivert Note Added: 0018303
2025-07-16 11:02 qhivert Assigned To => qhivert
2025-07-16 11:02 qhivert Status new => feedback
2025-07-16 11:28 jordi Note Added: 0018304
2025-07-16 11:28 jordi File Added: image.png
2025-07-16 11:28 jordi Status feedback => assigned
2025-07-16 11:55 qhivert Note Added: 0018305
2025-07-16 11:55 qhivert Status assigned => feedback
2025-07-16 12:20 jordi Note Added: 0018306
2025-07-16 12:20 jordi Status feedback => assigned
2025-07-17 06:42 qhivert Status assigned => resolved
2025-07-17 06:42 qhivert Resolution open => fixed