User UUID Changes on Import

So I’ve been running a standalone instance of Keycloak on a VPC for many months, but now we’re switching over to deploying keycloak on kubernetes.

It’s fairly straight-forward to migrate over data, however I’ve run into a hitch.

When importing users, their UUID’s are regenerated. The .json export shows the correct UUID, but once imported it’s changed.

We have other systems tying to these UUID’s, so having them change would be quite a large hastle to go through.

Is there anyway to avoid this?

For anyone else that comes across this, here was my solution:

As you can see here on line 113 https://github.com/rmartinc/keycloak/blob/6f420d2c50144098ac6f03e26141a385db0509dc/services/src/main/java/org/keycloak/partialimport/UsersPartialImport.java partial import generates a new user ID. Perhaps one could build a new image with this line changed…

However I just used the standalone to go through the ‘full’ import execution path.

I used docker and executed something like:

docker run --rm \
    --name keycloak_importer\
    -v /tmp:/tmp/keycloak-import\
    -e POSTGRES_DATABASE=**\
    -e POSTGRES_PASSWORD=**\
    -e POSTGRES_USER=**\
    -e DB_VENDOR=POSTGRES\
    -e DB_ADDR=**\
    -e DB_PORT=**\
    jboss/keycloak\
    -Dkeycloak.migration.action=import\
    -Dkeycloak.migration.provider=singleFile\
    -Dkeycloak.migration.file=/tmp/keycloak-import/test.json

Thanks for sharing, I’ve hit something similar…

This didn’t happen in older versions, but in 10.0.2 and 11.0.3 I get UUID changes as well. Not just when importing a JSON export, but even after full db dump/restore… “simple” things like attribute or action changes (e.g. add OTP action to existing user) re-generate the UUID.

This also broke some of our apps…but after a lot of testing I was starting to think we were crazy for tying anything to an internal ID – so thanks for confirming we’re at least not alone!