Skip to content

Migration Guide 2.10

sberyozkin edited this page May 17, 2022 · 6 revisions

Keycloak Authorization and Keycloak 18.0.0

Keycloak version has been bumped to 18.0.0. It may affect quarkus-keycloak-authorization users who have authorization policies represented as Java Script and uploaded to Keycloak because the upload-scripts feature has been removed in Keycloak 18.0.0. Please see Keycloak Upgrading Guide for more information.

Here is a short summary of how to manage such Java Script policies in Keycloak 18.0.0.

Lets say you have the following authorization policy uploaded to Keycloak:

 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
 public void uploadPolicy() {
        ResourceServerRepresentation authorizationSettings = new ResourceServerRepresentation();
        PolicyRepresentation policyAdmin = createJSPolicy("Admin Policy", "var identity = $evaluation.context.identity;\n" +
                "\n" +
                "if (identity.hasRealmRole(\"admin\")) {\n" +
                "$evaluation.grant();\n" +
                "}", authorizationSettings);
        // Upload this policy using Keycloak Admin Client...

 private static PolicyRepresentation createJSPolicy(String name, String code, ResourceServerRepresentation authorizationSettings) {
     PolicyRepresentation policy = new PolicyRepresentation();
     policy.setType("script-" + code);
     return policy;

For it to work with Keycloak 18.0.0 the JavaScript code needs to be moved to a policy file such as admin.js:

var identity = $evaluation.context.identity;
if (identity.hasRealmRole("admin")) {

and this admin.js needs to be referred to from the Java code:

ResourceServerRepresentation authorizationSettings = new ResourceServerRepresentation();
PolicyRepresentation policyAdmin = createJSPolicy("Admin Policy", "admin-policy.js", authorizationSettings);
// Upload this policy using Keycloak Admin Client...

and from keycloak-scripts.json:

  "policies": [
      "fileName": "admin-policy.js"

keycloak-scripts.json will have to be converted to a jar and deployed to Keycloak.

Current version

Migration Guide 3.18

Next version in main

Migration Guide 3.19

Clone this wiki locally