<p dir="ltr"><br>
On Oct 5, 2015 21:24, "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br>
><br>
> I'm still averse to allowing export from admin console of any<br>
> credentials or private keys.</p>
<p dir="ltr">Even if they are not directly downloadable but require access to the server just like now?<br><br></p>
<p dir="ltr">><br>
> On 10/5/2015 2:02 PM, Stan Silvert wrote:<br>
> > I'm actually starting on the design and implementation of this right<br>
> > now. It's import/export from the admin console. It will also have the<br>
> > ability to import/export partial pieces of a realm such as just users.<br>
> ><br>
> > Thanks for the comments so far on this thread. They have been very helpful.<br>
> ><br>
> > We will keep the idea that no secrets should ever be exported from admin<br>
> > console. I'm not sure that having a flag for it in keycloak-server.json<br>
> > helps. To edit keycloak-server.json, you need access to the server, in<br>
> > which case you might as well do the current import/export.<br>
> ><br>
> > So what do you do after you import a user with no credentials? Some ideas:<br>
> > * The administrator can reset the password manually.<br>
> > * The user can do password recovery (if enabled)<br>
> ><br>
> > An other ideas?<br>
> ><br>
> > Stan<br>
> ><br>
> > On 10/5/2015 12:34 PM, Tim Dudgeon wrote:<br>
> >> That's a good point. Having to stop/start the server to generate an<br>
> >> export is not ideal.<br>
> >><br>
> >> Tim<br>
> >><br>
> >> On 05/10/2015 11:56, Thomas Raehalme wrote:<br>
> >>><br>
> >>><br>
> >>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
> >>> <mailto:<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>> wrote:<br>
> >>><br>
> >>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:<br>
> >>><br>
> >>><br>
> >>> On Oct 4, 2015 23:57, "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
> >>> <mailto:<a href="mailto:bburke@redhat.com">bburke@redhat.com</a> <mailto:<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>>> wrote:<br>
> >>> ><br>
> >>> > For security reasons we did not want to have a remote<br>
> >>> option to export.<br>
> >>><br>
> >>><br>
> >>> How about just storing the export as a local file on the server?<br>
> >>> You'd need access to the server in order to get the file (making the<br>
> >>> system compromised anyways). The change to current behaviour is that<br>
> >>> you would be able to trigger the export at will without server restart.<br>
> >>><br>
> >>> Best regards,<br>
> >>> Thomas<br>
> >>><br>
> >>><br>
> >>> _______________________________________________<br>
> >>> keycloak-user mailing list<br>
> >>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> >><br>
> >><br>
> >><br>
> >> _______________________________________________<br>
> >> keycloak-user mailing list<br>
> >> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> >> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</p>