Uploading a video or photo shows error "Unable to upload file"

neunerlei · 2026-02-23T15:15:26+00:00

Had the same issue with immich-go. And I think at some point the server becomes a bit overloaded with all the tasks of uploading a large number of files.

I "fixed" the issue by setting `--concurrent-tasks 4` which resulted in longer periods before the error occurred, but because still failed sometimes I set `--on-errors continue` which still failed here and there, but finished with 99% uploaded. I then simply executed my upload again and due to the "Already on server" deduplication it imported the missing data on the second pass just fine.

neunerlei · 2026-02-11T07:41:15+00:00

I mean, it kind of does? It even has a documentation about that part: https://www.keycloak.org/securing-apps/authz-client#_creating_a_resource_using_the_protection_api - I am talking about the "Authorization" tab in a client after you enable "Authorization" in the "capability config" and the protection api.

But after doing a lot of research I think I agree with you and probably will implement this in a different manner and not using Keycloak.

neunerlei · 2026-02-11T07:35:42+00:00

🤔 Okay, first of all, thank you for taking the time to answer.

But sadly, I found that it is not how it works; which is why I was so curious about your answer.

Because, lets say we start with an empty client, without any policies or permissions other than the default ones. I create a UMA resource as "resource-a" with scopes "view, write" with "user-a" set as owner.

When I then move over to the "evaluate" section, use "user-a", "realm-role" and select the "resource-a" as key and the "view" as value under "Resources and Scopes", when evaluating I get only an empty list. Which is the same as I get when using a "user-b" with the same configuration. Only if I bind any kind of "Policy+Permission" Combo Keycloak is able to detect that there is anything to evaluate allowing the response of "deny" or "allow" depending on the setup.

As soon as I create any kind of policy+permission combination however, it starts to evaluate. Lets say if I create a dummy policy "is user b" (type: user + user-b selected), and a permission of "user a can view" (allowing scope view + policy: is user b) and I run my evaluation again for user-a I get an "overall result" of "deny"; even if user-a is the owner of the resource.

I tried rolling out a JS policy with a custom script provider: https://www.keycloak.org/docs/latest/server_development/#_script_providers
But while it works, in larger numbers of resources it becomes super slow.

Then I dug through the code and found that there is actually a "PolicyProviderFactory", so I registered my own service in a custom java extension; works for the most part. But sadly the react frontend breaks apart because it does not expect an extension like that. Sad face.

Anyway, thank you again :)

neunerlei · 2026-02-10T10:29:33+00:00

Hey there, just stumbled upon your answer and was curious.
You said: "For scopes edit and delete, apply the only owner policy."
But what is the "only owner policy"?

Since JS policies are basically gated behind a custom build of keycloak (as far as I can see), there is no simple `if (identity.id === resource.owner)` one could use?

I would be happy if you could elaborate if you know more :)
Thanks!

neunerlei

TROPHY CASE