keycloak-config-cli icon indicating copy to clipboard operation
keycloak-config-cli copied to clipboard
verified publisher icon adorsys

How to get a minimal configuration json ?

Open rgarrigue opened this issue 2 years ago • 5 comments

Problem Statement

The doc says

The config files are based on the keycloak export files. You can use them to re-import your settings. But keep your files as small as possible. Remove all UUIDs and all stuff which is default set by keycloak.

Our legacy Keycloak export is 3000 lines long, so I'ld like to do exactly that, but I don't see how I can get there. Tried to make some three way diff between

  • An export from our legacy keycloak
  • An export from an empty keycloak, same version as legacy
  • An export from an empty keycloak, same major as legacy but latest minor

Couldn't achieve a result : list are unordered in the export, for a given realm I don't know if I can remove all the roles that seems to be default or not ... and you end up with an invalid JSON because always end up removing a ) or a , somewhere you shouldn't.

Any recommendation, a script, any tools here ? Just an export without the default included would be enough

Proposed Solution

I've no idea of a solution atm

Environment

  • Keycloak Version: 21
  • keycloak-config-cli Version: from the Helm chart
  image:
    registry: docker.io
    repository: bitnami/keycloak-config-cli
    tag: 5.6.1-debian-11-r22
  • Java Version: ?

Additional information

No response

Acceptance Criteria

No response

rgarrigue avatar Oct 06 '23 08:10 rgarrigue

In my project, I also have similar concerns, the full export of Keycloak always involves full data (with thousands of lines of property and values) and cannot be re-applied multiple times.

Unfortunately, I also don't have a good solution for that yet, we are doing it manually.

What I did was:

  • Remove all "id" and "containerId" properties by using find/replace by regex functionality (I think most IDEs support that).
  • Remove all properties and data that you know/believe have NO impacts on the clients that rely on Keycloak. (This would usually take a lot of time if the Keycloak has a lot of dependent services/clients).
  • Always use validate JSON online tools (ex: jsonlint) per changes. In case you might have sensitive data that you don't want to expose to the world, feel free to use any local tools.
  • If possible, store the full version for backup in case you miss any important configuration in step 2.

I would also love to know if anyone has suggestions on this. (This could be hard to implement since Keycloak could introduce breaking changes about their default properties).

zovippro1996 avatar Oct 08 '23 18:10 zovippro1996

I also does that manually. I could not find any other better approach.

MohammedNoureldin avatar Oct 09 '23 22:10 MohammedNoureldin

I get some help using this jq command

jq 'del(.id, .realm, .accessTokenLifespanForImplicitFlow,
   .accessTokenLifespanForWebApps, .accessTokenLifespan,
  .offlineSessionIdleTimeout, .accessTokenLifespanInSeconds,
  .ssoSessionIdleTimeout, .ssoSessionMaxLifespan,
  .ssoSessionIdleTimeoutRememberMe, .ssoSessionMaxLifespanRememberMe,
  .accessCodeLifespan, .accessCodeLifespanLogin, .accessCodeLifespanUserAction,
  .accessCodeLifespanMobile, .notBefore, .registrationAllowed,
  .registrationEmailAsUsername, .rememberMe, .verifyEmail, .resetPasswordFlow,
  .editUsernameAllowed, .bruteForceProtected, .permanentLockout, .maxFailureWaitSeconds,
  .minimumQuickLoginWaitSeconds, .waitIncrementSeconds, .quickLoginCheckMilliSeconds,
  .maxDeltaTimeSeconds, .failureFactor, .requiredCredentials, .otpPolicyType,
  .otpPolicyAlgorithm, .otpPolicyInitialCounter, .otpPolicyDigits, .otpPolicyLookAheadWindow,
  .otpPolicyPeriod, .otpSupportedApplications, .webAuthnPolicyRpEntityName,
  .webAuthnPolicyAttestationConveyancePreference, .webAuthnPolicyAuthenticatorAttachment,
  .webAuthnPolicyRequireResidentKey, .webAuthnPolicyUserVerificationRequirement,
  .webAuthnPolicyCreateTimeout, .webAuthnPolicyAssertionTimeout,
  .webAuthnPolicyRegistrationRecoveryEnabled, .webAuthnPolicyRegistrationRecoveryCodesQuantity,
  .webAuthnPolicyRegistrationTokenBindingRequired, .webAuthnPolicyRegistrationAttestationConveyancePreference,
  .webAuthnPolicyRegistrationAuthenticatorSelectionCriteria,
  .keys)' < keycloak-realm-export.json > keycloak-realm-export-new.json

KarstenSiemer avatar Nov 01 '23 08:11 KarstenSiemer

Nice, this jq deserve a spot in the documentation :)

rgarrigue avatar Nov 01 '23 08:11 rgarrigue

I am also thinking of an approach how to do this. This is the manual approach I see atm:

  1. Remove all "id" and "containerId" properties by using find/replace by regex functionality
  2. Replace Id-Ref with alias-Ref for authenticationFlowBindingOverrides (if not empty)
  3. From the jq command from @KarstenSiemer remove the ones which you have explicitely modified and therefore don't have its default value anymore. Apply it.
  4. Remove the roles and clients that match the checks done here https://github.com/adorsys/keycloak-config-cli/blob/main/src/main/java/de/adorsys/keycloak/config/util/KeycloakUtil.java#L56 unless you have made changes to them.

pantherwelt avatar Jul 08 '24 15:07 pantherwelt