Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to get a minimal configuration json ? #933

Closed
rgarrigue opened this issue Oct 6, 2023 · 6 comments
Closed

How to get a minimal configuration json ? #933

rgarrigue opened this issue Oct 6, 2023 · 6 comments
Assignees

Comments

@rgarrigue
Copy link

rgarrigue commented Oct 6, 2023

Problem Statement

The doc says

The config files are based on the keycloak export files. You can use them to re-import your settings. But keep your files as small as possible. Remove all UUIDs and all stuff which is default set by keycloak.

Our legacy Keycloak export is 3000 lines long, so I'ld like to do exactly that, but I don't see how I can get there. Tried to make some three way diff between

  • An export from our legacy keycloak
  • An export from an empty keycloak, same version as legacy
  • An export from an empty keycloak, same major as legacy but latest minor

Couldn't achieve a result : list are unordered in the export, for a given realm I don't know if I can remove all the roles that seems to be default or not ... and you end up with an invalid JSON because always end up removing a ) or a , somewhere you shouldn't.

Any recommendation, a script, any tools here ? Just an export without the default included would be enough

Proposed Solution

I've no idea of a solution atm

Environment

  • Keycloak Version: 21
  • keycloak-config-cli Version: from the Helm chart
  image:
    registry: docker.io
    repository: bitnami/keycloak-config-cli
    tag: 5.6.1-debian-11-r22
  • Java Version: ?

Additional information

No response

Acceptance Criteria

No response

@zovippro1996
Copy link

In my project, I also have similar concerns, the full export of Keycloak always involves full data (with thousands of lines of property and values) and cannot be re-applied multiple times.

Unfortunately, I also don't have a good solution for that yet, we are doing it manually.

What I did was:

  • Remove all "id" and "containerId" properties by using find/replace by regex functionality (I think most IDEs support that).
  • Remove all properties and data that you know/believe have NO impacts on the clients that rely on Keycloak. (This would usually take a lot of time if the Keycloak has a lot of dependent services/clients).
  • Always use validate JSON online tools (ex: jsonlint) per changes. In case you might have sensitive data that you don't want to expose to the world, feel free to use any local tools.
  • If possible, store the full version for backup in case you miss any important configuration in step 2.

I would also love to know if anyone has suggestions on this. (This could be hard to implement since Keycloak could introduce breaking changes about their default properties).

@MohammedNoureldin
Copy link

I also does that manually. I could not find any other better approach.

@KarstenSiemer
Copy link

I get some help using this jq command

jq 'del(.id, .realm, .accessTokenLifespanForImplicitFlow,
   .accessTokenLifespanForWebApps, .accessTokenLifespan,
  .offlineSessionIdleTimeout, .accessTokenLifespanInSeconds,
  .ssoSessionIdleTimeout, .ssoSessionMaxLifespan,
  .ssoSessionIdleTimeoutRememberMe, .ssoSessionMaxLifespanRememberMe,
  .accessCodeLifespan, .accessCodeLifespanLogin, .accessCodeLifespanUserAction,
  .accessCodeLifespanMobile, .notBefore, .registrationAllowed,
  .registrationEmailAsUsername, .rememberMe, .verifyEmail, .resetPasswordFlow,
  .editUsernameAllowed, .bruteForceProtected, .permanentLockout, .maxFailureWaitSeconds,
  .minimumQuickLoginWaitSeconds, .waitIncrementSeconds, .quickLoginCheckMilliSeconds,
  .maxDeltaTimeSeconds, .failureFactor, .requiredCredentials, .otpPolicyType,
  .otpPolicyAlgorithm, .otpPolicyInitialCounter, .otpPolicyDigits, .otpPolicyLookAheadWindow,
  .otpPolicyPeriod, .otpSupportedApplications, .webAuthnPolicyRpEntityName,
  .webAuthnPolicyAttestationConveyancePreference, .webAuthnPolicyAuthenticatorAttachment,
  .webAuthnPolicyRequireResidentKey, .webAuthnPolicyUserVerificationRequirement,
  .webAuthnPolicyCreateTimeout, .webAuthnPolicyAssertionTimeout,
  .webAuthnPolicyRegistrationRecoveryEnabled, .webAuthnPolicyRegistrationRecoveryCodesQuantity,
  .webAuthnPolicyRegistrationTokenBindingRequired, .webAuthnPolicyRegistrationAttestationConveyancePreference,
  .webAuthnPolicyRegistrationAuthenticatorSelectionCriteria,
  .keys)' < keycloak-realm-export.json > keycloak-realm-export-new.json

@rgarrigue
Copy link
Author

Nice, this jq deserve a spot in the documentation :)

@pantherwelt
Copy link

pantherwelt commented Jul 8, 2024

I am also thinking of an approach how to do this.
This is the manual approach I see atm:

  1. Remove all "id" and "containerId" properties by using find/replace by regex functionality
  2. Replace Id-Ref with alias-Ref for authenticationFlowBindingOverrides (if not empty)
  3. From the jq command from @KarstenSiemer remove the ones which you have explicitely modified and therefore don't have its default value anymore. Apply it.
  4. Remove the roles and clients that match the checks done here https://github.com/adorsys/keycloak-config-cli/blob/main/src/main/java/de/adorsys/keycloak/config/util/KeycloakUtil.java#L56 unless you have made changes to them.

@Motouom
Copy link
Collaborator

Motouom commented Dec 2, 2024

Hello @rgarrigue

For your issue on getting a minimal configuration json, here is a script that can do so.

#!/bin/bash

INPUT_FILE="realm-config.json"
OUTPUT_FILE="keycloak-realm-export-minimal.json"

jq 'del(
  .id, .containerId, .accessTokenLifespanForImplicitFlow,
  .accessTokenLifespanForWebApps, .accessTokenLifespan, .offlineSessionIdleTimeout,
  .accessTokenLifespanInSeconds, .ssoSessionIdleTimeout, .ssoSessionMaxLifespan,
  .ssoSessionIdleTimeoutRememberMe, .ssoSessionMaxLifespanRememberMe,
  .accessCodeLifespan, .accessCodeLifespanLogin, .accessCodeLifespanUserAction,
  .accessCodeLifespanMobile, .notBefore, .registrationAllowed,
  .registrationEmailAsUsername, .rememberMe, .verifyEmail, .resetPasswordFlow,
  .editUsernameAllowed, .bruteForceProtected, .permanentLockout, .maxFailureWaitSeconds,
  .minimumQuickLoginWaitSeconds, .waitIncrementSeconds, .quickLoginCheckMilliSeconds,
  .maxDeltaTimeSeconds, .failureFactor, .requiredCredentials, .otpPolicyType,
  .otpPolicyAlgorithm, .otpPolicyInitialCounter, .otpPolicyDigits, .otpPolicyLookAheadWindow,
  .otpPolicyPeriod, .otpSupportedApplications, .webAuthnPolicyRpEntityName,
  .webAuthnPolicyAttestationConveyancePreference, .webAuthnPolicyAuthenticatorAttachment,
  .webAuthnPolicyRequireResidentKey, .webAuthnPolicyUserVerificationRequirement,
  .webAuthnPolicyCreateTimeout, .webAuthnPolicyAssertionTimeout,
  .webAuthnPolicyRegistrationRecoveryEnabled, .webAuthnPolicyRegistrationRecoveryCodesQuantity,
  .webAuthnPolicyRegistrationTokenBindingRequired, .webAuthnPolicyRegistrationAttestationConveyancePreference,
  .webAuthnPolicyRegistrationAuthenticatorSelectionCriteria, .keys
) 
| walk(if type == "object" then del(.id) else . end)' < "$INPUT_FILE" > "$OUTPUT_FILE"

echo "Minimal export saved to $OUTPUT_FILE"

You can customize it to your like and it'll work fine.

@Motouom Motouom self-assigned this Dec 2, 2024
@Motouom Motouom moved this from Ready for Dev to Review in os-competence-center-board Dec 2, 2024
@Motouom Motouom linked a pull request Dec 2, 2024 that will close this issue
1 task
@github-project-automation github-project-automation bot moved this from Review to Done in os-competence-center-board Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

Successfully merging a pull request may close this issue.

7 participants