Keycloak bulk user import

Question

Does anyone have any thoughts on how one might import a very large number of users into Keycloak.

We are in the process of upgrading from 2.5.5 to 4.0.0 and have had to switch from MongoDB to MySQL. We have been able to export our user base but with 280k+ users to import back into Keycloak. The import process takes 25 mins to import one file of 500 users, which doesnt really seem practical as that would take us approximately 9/10 days to import the user base if we were working 24/7.

Any thoughts or ideas would be appreciated.

Have you been able to find any solution? We are now also struggling with performance of user sync from external db. It seems that everything in KC leads to n+1 problem... — malejpavouk, Jan 22 '19 at 22:04
We ended up writing a custom import that directly wrote to a fresh Keycloak MySQL table. Bit of a pain and took months of troubleshooting and tweaking but got there in the end. — Chris Latta, Jan 24 '19 at 09:24
Just in case someone is looking here: in the end we ended up with getting the EntityManager out of Keycloak (session.getProvider(JpaConnectionProvider.class).getEntityManager()) and one-hit loaded all role and group mapping which got us around the n+1 issue. — malejpavouk, Jan 24 '19 at 15:37

score 2 · Answer 1 · answered Feb 19 '20 at 22:46

2

I realize I'm a little late to the party here...

Keycloak 8 (and newer) has a mechanism for bulk importing users via a .json file: https://www.keycloak.org/docs/8.0/server_admin/index.html#_export_import

If you have some sort of mechanism for dumping your existing users to a .json file, it makes the import reasonably easy.

answered Feb 19 '20 at 22:46

Joel B

801
1
11
30

2

updated link: https://www.keycloak.org/docs/latest/server_admin/index.html#importing-a-realm-from-exported-json-file – mabi Sep 01 '22 at 07:15

score 2 · Answer 2 · answered Feb 04 '22 at 18:13

2

You can use the Keycloak REST API with partialImport

First, you need to get an access_token, you can use your admin user or a client with the role manage-realm assigned

access_token=`curl http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token -XPOST -d 'grant_type=client_credentials' -u 'admin-client:admin-secret' | jq -r .access_token`

Then you can import an array of users

curl -X POST -H "Authorization: Bearer $access_token"  -H 'Accept: application/json' -H 'Content-Type: application/json' -d '{"users":[{"username":"jose.perez","email":"jose.perez@gmail.com","firstName":"Jose","lastName":"Perez","emailVerified":true,"enabled":true,"ifResourceExists":"SKIP"}' http://localhost:8080/auth/admin/realms/my-realm/partialImport

answered Feb 04 '22 at 18:13

Azucena H

108
9

I don't think this is possible with the recent version of keycloak. I have tried 20.0 version. – Lokesh Jun 05 '23 at 19:09
@Lokesh The documentation refers to Keycloak 15 – Azucena H Jun 05 '23 at 23:51
1

Link in the answer to Keycloak 15 documentation returns 404 (https://www.keycloak.org/documentation-archive.html). Here's link to Keycloak 18: https://www.keycloak.org/docs-api/18.0/rest-api/ and currently the latest 21: https://www.keycloak.org/docs-api/21.1.1/rest-api/. Find "Partial import from a JSON file to an existing realm" or just `partialImport`. – mkczyk Jun 07 '23 at 07:49

Keycloak bulk user import

2 Answers2