How to get a minimal configuration json ?

rgarrigue commented 12 months ago

Problem Statement

The doc says

The config files are based on the keycloak export files. You can use them to re-import your settings. But keep your files as small as possible. Remove all UUIDs and all stuff which is default set by keycloak.

Our legacy Keycloak export is 3000 lines long, so I'ld like to do exactly that, but I don't see how I can get there. Tried to make some three way diff between

An export from our legacy keycloak
An export from an empty keycloak, same version as legacy
An export from an empty keycloak, same major as legacy but latest minor

Couldn't achieve a result : list are unordered in the export, for a given realm I don't know if I can remove all the roles that seems to be default or not ... and you end up with an invalid JSON because always end up removing a ) or a , somewhere you shouldn't.

Any recommendation, a script, any tools here ? Just an export without the default included would be enough

Proposed Solution

I've no idea of a solution atm

Environment

Keycloak Version: 21
keycloak-config-cli Version: from the Helm chart

  image:
    registry: docker.io
    repository: bitnami/keycloak-config-cli
    tag: 5.6.1-debian-11-r22

Java Version: ?

Additional information

No response

Acceptance Criteria

No response

zovippro1996 commented 12 months ago

In my project, I also have similar concerns, the full export of Keycloak always involves full data (with thousands of lines of property and values) and cannot be re-applied multiple times.

Unfortunately, I also don't have a good solution for that yet, we are doing it manually.

What I did was:

Remove all "id" and "containerId" properties by using find/replace by regex functionality (I think most IDEs support that).
Remove all properties and data that you know/believe have NO impacts on the clients that rely on Keycloak. (This would usually take a lot of time if the Keycloak has a lot of dependent services/clients).
Always use validate JSON online tools (ex: jsonlint) per changes. In case you might have sensitive data that you don't want to expose to the world, feel free to use any local tools.
If possible, store the full version for backup in case you miss any important configuration in step 2.

I would also love to know if anyone has suggestions on this. (This could be hard to implement since Keycloak could introduce breaking changes about their default properties).

MohammedNoureldin commented 12 months ago

I also does that manually. I could not find any other better approach.

KarstenSiemer commented 11 months ago

I get some help using this jq command

jq 'del(.id, .realm, .accessTokenLifespanForImplicitFlow,
   .accessTokenLifespanForWebApps, .accessTokenLifespan,
  .offlineSessionIdleTimeout, .accessTokenLifespanInSeconds,
  .ssoSessionIdleTimeout, .ssoSessionMaxLifespan,
  .ssoSessionIdleTimeoutRememberMe, .ssoSessionMaxLifespanRememberMe,
  .accessCodeLifespan, .accessCodeLifespanLogin, .accessCodeLifespanUserAction,
  .accessCodeLifespanMobile, .notBefore, .registrationAllowed,
  .registrationEmailAsUsername, .rememberMe, .verifyEmail, .resetPasswordFlow,
  .editUsernameAllowed, .bruteForceProtected, .permanentLockout, .maxFailureWaitSeconds,
  .minimumQuickLoginWaitSeconds, .waitIncrementSeconds, .quickLoginCheckMilliSeconds,
  .maxDeltaTimeSeconds, .failureFactor, .requiredCredentials, .otpPolicyType,
  .otpPolicyAlgorithm, .otpPolicyInitialCounter, .otpPolicyDigits, .otpPolicyLookAheadWindow,
  .otpPolicyPeriod, .otpSupportedApplications, .webAuthnPolicyRpEntityName,
  .webAuthnPolicyAttestationConveyancePreference, .webAuthnPolicyAuthenticatorAttachment,
  .webAuthnPolicyRequireResidentKey, .webAuthnPolicyUserVerificationRequirement,
  .webAuthnPolicyCreateTimeout, .webAuthnPolicyAssertionTimeout,
  .webAuthnPolicyRegistrationRecoveryEnabled, .webAuthnPolicyRegistrationRecoveryCodesQuantity,
  .webAuthnPolicyRegistrationTokenBindingRequired, .webAuthnPolicyRegistrationAttestationConveyancePreference,
  .webAuthnPolicyRegistrationAuthenticatorSelectionCriteria,
  .keys)' < keycloak-realm-export.json > keycloak-realm-export-new.json

rgarrigue commented 11 months ago

Nice, this jq deserve a spot in the documentation :)

pantherwelt commented 2 months ago

I am also thinking of an approach how to do this. This is the manual approach I see atm:

Remove all "id" and "containerId" properties by using find/replace by regex functionality
Replace Id-Ref with alias-Ref for authenticationFlowBindingOverrides (if not empty)
From the jq command from @KarstenSiemer remove the ones which you have explicitely modified and therefore don't have its default value anymore. Apply it.
Remove the roles and clients that match the checks done here https://github.com/adorsys/keycloak-config-cli/blob/main/src/main/java/de/adorsys/keycloak/config/util/KeycloakUtil.java#L56 unless you have made changes to them.

adorsys / keycloak-config-cli