Import realm in Keycloak:18.x

Question

I cannot import any realms into Keycloak 18.0.0. That's the Quarkus, and not the Wildfly distribution anymore. Documentation here says it should be pretty simple, and by mounting my exported realm.json file into /opt/keycloak/data/import/...json it actually TRIES to import it, but it ends with :

"[org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled".

Known to be removed, and the old -Dkeycloak.profile.feature.upload_scripts=enabled won't work anymore. OK. But then what's the way to do import any realms on startup? That'd be used to distribute a ready-made local stack without any handcrafting needed to launch. I could do it with running SQL commands, but that's way too hacky to my taste.

Compose file :

  cp-keycloak:
image: quay.io/keycloak/keycloak:18.0.0
environment:
  KC_DB: mysql
  KC_DB_URL: jdbc:mysql://cp-keycloak-database:3306/keycloak
  KC_DB_USERNAME: root
  KC_DB_PASSWORD: root
  KC_HOSTNAME: localhost
  KEYCLOAK_ADMIN: admin
  KEYCLOAK_ADMIN_PASSWORD: admin
ports:
  - 8082:8080
volumes:
  - ./data/local_stack/init.keycloak.json:/opt/keycloak/data/import/main-realm.json:ro
entrypoint: "/opt/keycloak/bin/kc.sh start-dev --import-realm"

The output :

cp-keycloak_1           | 2022-05-05 14:07:26,801 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
cp-keycloak_1           | 2022-05-05 14:07:26,802 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to import realm: Main-Realm
cp-keycloak_1           | 2022-05-05 14:07:26,803 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled

Thanks

Answer 1

This might be caused because inside of your realm .json there is references to some configuration that is using the deprecated upload script feature.

Try to removed it, export the json and them try to imported again (this time without the upload script feature.

From the comments (credits to jfrantzius): 

See here for what you either need to remove or replace in your realm-export.json: https://github.com/keycloak/keycloak/issues/11664#issuecomment-1111062102 . We had to replace the entries, see also here https://github.com/keycloak/keycloak/discussions/12041#discussioncomment-2768768

Answer 2

For me only changing the js policy to regex policy for Keycloak 24.0.4 worked and is cleaner for this Default Policy IMO.

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },

for:

  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "regex",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "targetContextAttributes" : "false",
      "pattern" : ".*",
      "targetClaim" : "sub"
    }
  },