[keycloak-user] Configuring keycloak with JSON instead of UI
Marek Posolda
mposolda at redhat.com
Wed Mar 1 05:05:05 EST 2017
On 01/03/17 07:04, Sarp Kaya wrote:
> I have been experimenting with import/exports more.
> Essentially my end goal is, I want to get the JSON of the changes that I have done on UI so that I can import it to other Keycloak instances in other environments. For instance I can do my changes on test environment and then just import them to production environment, without manually doing these changes through UI.
>
> In terms of exporting it seems like only command line option exists. In terms of importing, there is an import via UI and import via command line.
>
> Command line import doesn’t really work if the realm already exists. You can opt in to overwrite existing realm; but that actually removes the entire realm with the users; where the old users are not retrieved back.
>
> Importing via UI, seems like this can be done with two options, first one is via create realm; which works perfectly fine.
>
> However, if I have an existing realm, and I want to overwrite some changes, then it only works for clients, IDPs, realm roles and client roles. For instance, if I were to enable brute force detection, there is no way to import this setting to an existing realm.
>
> So this is basically what I want to accomplish. I want to be able to copy changed UI configurations to another keycloak instance, so that I would avoid manual UI configurations.
>
> Next thing I will be trying is to see if this endpoint for updating configuration works:
> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_top_level_information_of_the_realm
Yes, that should work. You can load the realm JSON from the old server
and then use the update endpoint you mentioned and import the realm
configuration to the new server.
You can create JIRA to request updating realm configurations via
export/import without deleting existing users. But not sure when we fix
that (if you not send PR by yourself :).
So doing it via REST is likely better option.
Marek
>
> Otherwise, I do not really see any other way to get that changed.
> Thanks,
> Sarp
>
> On 2/15/2017 1:06 AM, Sarp Kaya wrote:
>> Hello,
>>
>> I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment.
>> My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable:
>>
>>
>> 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch.
> If I recall, if you remove an id, a new one will be created. However,
> sometimes an id is used to refer to other things in the data structure
> so you have to be careful (Again, going from memory here. Test early
> and often).
>> 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all.
>>
>> My question is, what is the best practice to configure keycloak in multiple environments?
> This can get incredibly complex due to dependencies between entities.
> But if you keep it simple enough the current import facilities can suffice.
>
> The best answer I can give is that it just depends on what you are
> trying to do.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list