Understand the root cause and learn to solve the error “Script upload is disabled” when we import a realm file into Keycloak server. For demo purposes, we are using a Windows machine where Keyclock is running as a docker container.
1. Problem
With the older versions of Keycloak, we could import a previously exported realm file with the following command. Do not forget to replace the <container_id>.
# Open bash prompt for keycloak server
c:/users/user> docker exec -it <container_id> bash
# Run the command in bash
bash5.1$ /opt/keycloak/bin/kc.sh start-dev --import-realmAbove command will start importing all the realms present in location ‘/opt/keycloak/data/import/‘. And at this step, we get the following error:
2023-04-19 10:17:48,103 INFO [org.keycloak.exportimport.dir.DirImportProvider] (main) Importing from directory /opt/keycloak/bin/../data/import
2023-04-19 10:17:50,771 INFO [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'howtodoinjava' imported
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.2. Reason
Prior to Keycloak version 18, we could include a Javascript piece of code to execute scripts during runtime. Due to security enhancements, this feature was first deprecated and then removed in version 18.
If you search the string “js” in the realm file, you can see one or more nodes with JS resource type. They contain the JavaScript code that has to be executed at runtime, and because it is an unsupported feature, we get the error.
For example, in the following snippet, the first policy type is “js“, and it contains the javascript code in the config/code field.
"authorizationSettings" : {
"allowRemoteResourceManagement" : true,
"policyEnforcementMode" : "ENFORCING",
"resources" : [ {
...
} ],
"policies" : [ {
"id" : "96f8aba1-7d27-4951-8ee7-990def866a10",
"name" : "Default Policy",
"description" : "A policy that grants access only for users within this realm",
"type" : "js",
"logic" : "POSITIVE",
"decisionStrategy" : "AFFIRMATIVE",
"config" : {
"code" : "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
}, {
...
} ],
"scopes" : [ ],
"decisionStrategy" : "UNANIMOUS"
}3. Solution
So, to solve the “Script upload is disabled” error clean the realm JSON file by removing the ‘authorizationSettings‘ node altogether. After cleaning the realm file, the import will run successfully and the server will start.
Also, if you are actually using this feature, please check the official migration instructions.
Happy Learning !!
When we are removing
authorizationSettingsit wont import any authorization settings like scopes, permission, etc. So what if we want to import that as well?You may check in migration guide. Or you may try to remove only the script related config and see if it works.
Inside the authorizationSettings node, try to simply turn the “policies” array into an empty array
That way, in my case, I was able to import my realm with all my clients etc.
To be fair, I did not have any non-default authorization setting for that client, to my knowledge, so I’m not sure it’s a valid approach in cases like those
what if we acctully need this settings? this is not a valid sloution
Link to migration guide is also given. Please follow the steps.
Worked great for me, thanks!
Thank you very much for the helpful article. You saved my week.