[keycloak-dev] changes to admin ui login/bootstrap

Bill Burke bburke at redhat.com
Wed Oct 16 09:22:10 EDT 2013


There are some changes on how Keycloak Admin UI is bootstrapped:

* There is no longer a registration page for the admin ui.
* There is a built in user
   username: admin
   password: admin
* There is a built in realm "Keycloak Adminstration"
* This realm has a built in application "Admin Console" with one role: 
"admin"
* You can add additional users to the "Keycloak Adminstration" realm. 
They must add an Admin Consle "admin" role to be able to log into the 
admin UI.

Eventually, the bootstrap will require a "password update" for this 
built-in "admin" user.  There's a bug in the admin UI login on the 
server side that I haven't figured out yet. I'll ping the list when this 
is ready.

Going forward, the admin REST interfaces/admin UI will *NOT* use the 
token service.  We can't use the token service out of the box for the 
admin UI/REST interfaces because this would require specifying the 
Application password for the "Admin Console" and enabling it through the 
UI.  For usability, IMO, it is best that the user doesn't have to do this.

You will still be able to use the Token Service's OAuth flow to obtain 
an access token.  The admin REST interface should support bearer token 
access, although I haven't written any tests for it yet.

BTW, the "Admin Console" application has a random, large, password 
generated for it at bootstrap.  A side effect is that this password is 
never known.  We need to generate a random, unknown password for this to 
avoid a security hole and to keep the nice usability.  Hope I make sense 
here. :)


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list