@pruivo - great work, and also great documentation to show the results.

The comment from @sguilhen reminded me that there might be one more possible optimization: If you do a count(...) (but not a count(distinct ...) you can apply first a LIMIT as shown here:

So if one would rephrase the question from "give me the number of users" to "give me the number of users, but don't count more than X entries",

At the same time, I think the results of this PR are good enough, and I'll be happy to fully review and merge it once the build is green. At the moment, it seems to be blocked by Maven central not returning artifacts reliably.

@ahus1 unfortunately, you cannot do COUNT(*) with the JPA query builder. I've not found a way to use it, but it reduces the query time by half.

In any case, that trick is slower with my dataset (am I doing it right?). Using the PgAdmin explain feature, I get the following response times (the first one is the query that Hibernate creates)

• ~120ms: select count(u.id) from public.user_entity as u where u.service_account_client_link is null and u.realm_id = 'realm-0'
• ~50ms: select count(*) from (SELECT 1 from public.user_entity as u where u.service_account_client_link is null and u.realm_id = 'realm-0' limit 10)
• ~45ms: select count(*) from public.user_entity as u where u.service_account_client_link is null and u.realm_id = 'realm-0'

@pruivo - thank you for the additional input. The SQL looks good, but explain vs the real execution might still differ. It might not make much of a different for 1 M users, maybe only when we go to 30 M users.

Let's assume the current changes are good enough and proceed with PR as you originally suggested.

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.passwordless.PasskeysUsernameFormTest#webauthnLoginWithDiscoverableKey_reauthentication

Keycloak CI - WebAuthn IT

java.lang.AssertionError: Expected AppPage but was localhost (https://localhost:8543/auth/realms/test/login-actions/authenticate?session_code=0kCzL6ZpniPPRBOr_IORUErCqz8MsvDOJblmbivUo3w&execution=ac1c89c6-9ff6-48b0-bfc8-0c7a56e60764&client_id=test-app&tab_id=UsoDTfRN444&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:39)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test