Understand the root cause and learn to solve the error “Script upload is disabled” when we import a realm file into Keycloak server. For demo purposes, we are using a Windows machine where Keyclock is running as a docker container.
1. Problem
With the older versions of Keycloak, we could import a previously exported realm file with the following command. Do not forget to replace the <container_id>.
# Open bash prompt for keycloak server
c:/users/user> docker exec -it <container_id> bash
# Run the command in bash
bash5.1$ /opt/keycloak/bin/kc.sh start-dev --import-realm
Above command will start importing all the realms present in location ‘/opt/keycloak/data/import/‘. And at this step, we get the following error:
2023-04-19 10:17:48,103 INFO [org.keycloak.exportimport.dir.DirImportProvider] (main) Importing from directory /opt/keycloak/bin/../data/import
2023-04-19 10:17:50,771 INFO [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'howtodoinjava' imported
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
2. Reason
Prior to Keycloak version 18, we could include a Javascript piece of code to execute scripts during runtime. Due to security enhancements, this feature was first deprecated and then removed in version 18.
If you search the string “js” in the realm file, you can see one or more nodes with JS resource type. They contain the JavaScript code that has to be executed at runtime, and because it is an unsupported feature, we get the error.
For example, in the following snippet, the first policy type is “js“, and it contains the javascript code in the config/code field.
"authorizationSettings" : {
"allowRemoteResourceManagement" : true,
"policyEnforcementMode" : "ENFORCING",
"resources" : [ {
...
} ],
"policies" : [ {
"id" : "96f8aba1-7d27-4951-8ee7-990def866a10",
"name" : "Default Policy",
"description" : "A policy that grants access only for users within this realm",
"type" : "js",
"logic" : "POSITIVE",
"decisionStrategy" : "AFFIRMATIVE",
"config" : {
"code" : "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
}, {
...
} ],
"scopes" : [ ],
"decisionStrategy" : "UNANIMOUS"
}
3. Solution
So, to solve the “Script upload is disabled” error clean the realm JSON file by removing the ‘authorizationSettings
‘ node altogether. After cleaning the realm file, the import will run successfully and the server will start.
Also, if you are actually using this feature, please check the official migration instructions.
Happy Learning !!