Import export doesn't work when authorization is activated

Just posting this here because I don’t have a Redhat account to comment on the Jira issues.

as can be seen in these issues:
[KEYCLOAK-18682] Cannot import clients if there is a client with Authorization enabled
[KEYCLOAK-12400] Deprecating uploading scripts affects Import/Export Authorization Settings
[KEYCLOAK-14543] It is not possible to export and then import client with defualt authorization settings

Steps to reproduce the problem are really simple:

  1. create a client
  2. activate authorization on the client
  3. export the realm (using [...] -Dkeycloak.migration.action=export [...])
  4. import the realm (using the same kind of command)

Bam exception. java.lang.RuntimeException: Script upload is disabled

This is explained in the issues linked above: when you activate authorization, Keycloak creates an empty policy that is Javascript.
When you export, it exports fine.
When you import, no such luck, because script upload is disabled. So, exception.

My problem with this is an overall tool behavior. I think it’s not normal for any tool to offer export and import, and that in any situation just doing both fails, without any modification of the exported file or of the tool itself. It’s fine to restrict, but the tool should stay consistent.

My suggestions: either…

  • …fail to export with scripts
  • …or silently ignore scripts at export
  • …or offer an explicit option to export with or without scripts ← best solution, because it fails when it should and lets the user choose knowingly
  • …or offer to import without scripts
  • …or import silently but without scripts, and create a default policy if needed

As it is the working is asymetrical: you can export and import and fail.

You can try add -Dkeycloak.profile.feature.upload_scripts=enabled when export and import.

yes I know and it works.

But the same keycloak launched with the same params is inconsistent.

To be clear, I understand the choice, I just think it’s bad because it makes the tool inconsistent.
I think there should be at the minimum a warning at export saying that the same Keycloak won’t be able to import what is exported.
(it’s bad enough that the UI export/import is not the same as the CLI one :slight_smile: )

ok maybe this is just a rant. YMMV I suppose.