<div dir="ltr">We will soon remove the built-in admin/admin user account. For the Docker image you will either have to:<div><br></div><div>1. Pass the admin username and password with environment variables</div><div>2. Access via localhost (port forwarding) to create an initial user account</div><div><br></div><div>That'll be added in 1.8.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 17 December 2015 at 17:05, Dong Xie <span dir="ltr"><<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="#954F72"><div><p class="MsoNormal">Keycloak is deployed as docker container into cloud, once the container starts, the keycloak server starts, I can’t stop it being called or call the script before the container starts, unless I bother to make a customised docker image, which is not ideal. Since there is no human action involved, no one will reset the admin password via browser, unless you mean I can call REST API to fully setup admin user. Also when I add new user if I add it into master realm it will be as powerful as admin, at least that’s what I observed? Therefore leaving the admin there is only going to be a security hole, and the best practice is to get rid of as fast as I can.</p><span class=""><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Best,</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Dong<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p><p><u></u> <u></u></p><p><u></u> <u></u></p></span><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal" style="border:none;padding:0cm"><br><b>From: </b>Stian Thorgersen<br><b>Sent: </b>17 December 2015 15:57</p><div><div class="h5"><br><b>To: </b>Dong Xie<br><b>Cc: </b><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><b>Subject: </b>Re: [keycloak-user] out of box experiences and automation</div></div><p></p></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">You don't need to restart the server, you can call the script before starting the server in the first place.</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Why do you need to remove the admin? Do you not need to have at least one admin account on the server.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">What do you mean about init access token?<u></u><u></u></span></p></div></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">On 17 December 2015 at 16:49, Dong Xie <<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>> wrote:<u></u><u></u></span></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><div><div><p class="MsoNormal">That’s exactly what I used, so before I can expose the keycloak to the world, I need to get into the node, call the script, restart server, login with the new admin, calling REST api to remove the admin, sounds like a lot of work?<u></u><u></u></p><p class="MsoNormal"> </p><p class="MsoNormal">Can we not config an init access token or something similar to smooth the thing, for our poor DevOps life?</p><p class="MsoNormal"> </p><p class="MsoNormal">Any help would be great!</p><p class="MsoNormal"> </p><p class="MsoNormal">Best,</p><p class="MsoNormal"> </p><p class="MsoNormal">Dong</p><p class="MsoNormal"> </p><p class="MsoNormal">Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p><p> </p><p> </p><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><br><b>From: </b>Stian Thorgersen<br><b>Sent: </b>17 December 2015 15:41<br><b>To: </b>Dong Xie<br><b>Cc: </b><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><b>Subject: </b>Re: [keycloak-user] out of box experiences and automation</p></div><div><div><p class="MsoNormal"> </p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">From 1.7 you can add a admin user using the add-user script. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136</a></span></p></div><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">On 17 December 2015 at 16:38, Dong Xie <<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>> wrote:</span></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt"><div><div><p class="MsoNormal">Dear all,</p><p class="MsoNormal"> </p><p class="MsoNormal">I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.</p><p class="MsoNormal"> </p><p class="MsoNormal">Thanks very much for your help!</p><p class="MsoNormal"> </p><p class="MsoNormal">Best,</p><p class="MsoNormal"> </p><p class="MsoNormal">Dong</p><p class="MsoNormal"> </p><p class="MsoNormal">Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p></div></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></p></blockquote></div></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p><p class="MsoNormal"> </p><p class="MsoNormal"> </p></div></div></div></div></blockquote></div></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>