Keycloak – Script upload is disabled while importing a realm

Lokesh Gupta

DevOps
Docker, Keycloak

Understand the root cause and learn to solve the error “Script upload is disabled” when we import a realm file into Keycloak server. For demo purposes, we are using a Windows machine where Keyclock is running as a docker container.

1. Problem

With the older versions of Keycloak, we could import a previously exported realm file with the following command. Do not forget to replace the <container_id>.

# Open bash prompt for keycloak server
c:/users/user> docker exec -it <container_id> bash  

# Run the command in bash
bash5.1$ /opt/keycloak/bin/kc.sh start-dev --import-realm

Above command will start importing all the realms present in location ‘/opt/keycloak/data/import/‘. And at this step, we get the following error:

2023-04-19 10:17:48,103 INFO  [org.keycloak.exportimport.dir.DirImportProvider] (main) Importing from directory /opt/keycloak/bin/../data/import
2023-04-19 10:17:50,771 INFO  [org.keycloak.exportimport.util.ImportUtils] (main) Realm 'howtodoinjava' imported
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (development) mode
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Script upload is disabled
2023-04-19 10:17:51,297 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

2. Reason

Prior to Keycloak version 18, we could include a Javascript piece of code to execute scripts during runtime. Due to security enhancements, this feature was first deprecated and then removed in version 18.

If you search the string “js” in the realm file, you can see one or more nodes with JS resource type. They contain the JavaScript code that has to be executed at runtime, and because it is an unsupported feature, we get the error.

For example, in the following snippet, the first policy type is “js“, and it contains the javascript code in the config/code field.

"authorizationSettings" : {
  "allowRemoteResourceManagement" : true,
  "policyEnforcementMode" : "ENFORCING",
  "resources" : [ {
    ...
  } ],
  "policies" : [ {
    "id" : "96f8aba1-7d27-4951-8ee7-990def866a10",
    "name" : "Default Policy",
    "description" : "A policy that grants access only for users within this realm",
    "type" : "js",
    "logic" : "POSITIVE",
    "decisionStrategy" : "AFFIRMATIVE",
    "config" : {
      "code" : "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  }, {
    ...
  } ],
  "scopes" : [ ],
  "decisionStrategy" : "UNANIMOUS"
}

3. Solution

So, to solve the “Script upload is disabled” error clean the realm JSON file by removing the ‘authorizationSettings‘ node altogether. After cleaning the realm file, the import will run successfully and the server will start.

Also, if you are actually using this feature, please check the official migration instructions.

Happy Learning !!

Discover More

Related Articles And Resources

Keycloak – Export and Import a Realm
Java Regex for Greek Extended or Greek Script
JUnit 5 @Disabled Test Example
Getting Started with Keycloak on Docker
Search Users in Keycloak using Admin REST APIs
Spring Boot, Keycloak and TestContainer Example

Comments

Subscribe
Notify of
guest
2 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

About Us

HowToDoInJava provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions and frequently asked interview questions.

Tutorial Series

OOP

Regex

Maven

Logging

TypeScript

Python

Meta Links

About Us

Advertise

Contact Us

Privacy Policy

Our Blogs

REST API Tutorial

Dark Mode

Dark Mode