Keycloak 18 / Export and Import Feature

Overview – Quarkus becomes default distribution

In Keycloak 17 the default distribution is now powered by Quarkus, while the legacy WildFly powered distribution will still be around until June 2022 we highly recommend starting the migration as soon as possible.

The new distribution introduces a number of breaking changes, including:

Configuring Keycloak has significantly changed
For Deatails read: https://www.keycloak.org/migration/migrating-to-quarkus
Quarkus is not an application server, but rather a framework to build applications
/auth removed from the default context path
The deprecated upload-script feature was removed
Keycloak 17 is missing an important Feature: Importing a Realm during Startup
This was fixed with keycloak 18

Importing a Realm during Startup with docker

Reference: https://www.keycloak.org/server/importExport

You are also able to import realms when the server is starting by using the --import-realm option.

bin/kc.[sh|bat] start --import-realm

When you set the --import-realm option, the server is going to try to import any realm configuration file from the data/import directory. Each file in this directory should contain a single realm configuration.

If a realm already exists in the server, the import operation is skipped.

The Import Realm options used in short :

Realm export file needs to be mapped to /opt/keycloak/data/import
Realms Export File should contain a singe realm configuration
If realm exist import operation is skipped.

Validate Realm File
$ ls -l D:/dev/Quarkus/Keycloak/quarkus-keycloak-authorization-sample/import

-rw-r--r-- 1 Helmut None 78210 Apr 26 11:05 RBAC-realm.json

Start Docker to import Realm File on first startup
$ docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8280:8080 -p 8543:8443 \
     -v "D:/dev/Quarkus/Keycloak/quarkus-keycloak-authorization-sample/import:/opt/keycloak/data/import" \
 quay.io/keycloak/keycloak:18.0.0 start-dev  --import-realm --http-relative-path=auth

Potential Problem: Older Exports from keycloak 16.x.x may fail with ERROR: Script upload is disabled

2022-04-28 12:24:15,608 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2022-04-28 12:24:15,608 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to import realm: RBAC
2022-04-28 12:24:15,608 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled

Fix your old Import File

Follow: https://github.com/keycloak/keycloak/issues/11664
Remove following policies

"policies": [
  {
    "id": "b56eebd7-8e73-4449-b110-30dfdbc77f03",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },
  { ... },
  {
    "id": "1428ae4c-b767-41b9-aaf9-bd8b0d8497e2",
    "name": "Default Permission",
    "description": "A permission that applies to the default resource type",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
      "defaultResourceType": "urn:api:resources:default",
      "applyPolicies": "[\"Default Policy\"]"
    }
  },
  {...}
]

Export a Realm

Step 1: Start docker

$ docker run  --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8280:8080 -p 8543:8443      -v "D:/dev/Quarkus/Keycloak/quarkus-keycloak-authorization-sample/import:/opt/keycloak/data/import"  quay.io/keycloak/keycloak:18.0.
0 start-dev  --import-realm --http-relative-path=auth

Step 2: Setup RBAC realm

Create users, clients , … for RBAC realm

Step 3: Export RBAC realm

For at later import use option –users realm_file to export users into a single realm file
The errors restarting Keycloak server can be ignored

Get Docker Container ID 
$ docker ps
CONTAINER ID   IMAGE                              COMMAND                  CREATED          STATUS          PORTS                                            NAMES
8e07cf5a2aa7   quay.io/keycloak/keycloak:18.0.0   "/opt/keycloak/bin/k…"   42 minutes ago   Up 42 minutes   0.0.0.0:8280->8080/tcp, 0.0.0.0:8543->8443/tcp   keycloak


Start a bash inside this container
$ docker exec -it 8e07cf5a2aa7 bash


Run Realm Export
$ /opt/keycloak/bin/kc.sh export --dir /opt/keycloak/data/import --realm RBAC --users realm_file
2022-04-28 13:17:25,712 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>, Port: -1, Proxied: false
2022-04-28 13:17:26,236 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-04-28 13:17:26,352 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-04-28 13:17:26,427 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-04-28 13:17:26,687 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.8.Final
2022-04-28 13:17:27,093 INFO  [org.keycloak.exportimport.dir.DirExportProvider] (main) Exporting into directory /opt/keycloak/data/import
2022-04-28 13:17:27,290 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_244068, Site name: null
2022-04-28 13:17:27,604 INFO  [org.keycloak.services] (main) KC-SERVICES0034: Export of realm 'RBAC' requested.
2022-04-28 13:17:28,422 INFO  [org.keycloak.exportimport.dir.DirExportProvider] (main) Realm 'RBAC' - data exported
2022-04-28 13:17:28,428 INFO  [org.keycloak.services] (main) KC-SERVICES0035: Export finished successfully
2022-04-28 13:17:28,479 ERROR [org.keycloak.services] (main) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists
2022-04-28 13:17:28,797 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2022-04-28 13:17:28,797 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start HTTP server
2022-04-28 13:17:28,797 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: io.quarkus.runtime.QuarkusBindException

Validate Export file
$ ls -l /opt/keycloak/data/import
  -rwxr-xr-x 1 keycloak root 78022 Apr 28 13:17 RBAC-realm.json