<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:DengXian;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@DengXian";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Times New Roman",serif;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style></head><body lang=EN-GB link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>That is great news, when is 1.8 release time?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Also is that possible to take ENV var to enable SSL and take the configuration of certs files via a container volume? Hope those has been in the plan, if not I’m happy to raise the issue in JIRA and see if I can contribute towards it.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best regards,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dong<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> for Windows 10</p><p><o:p> </o:p></p><p><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;border:none;padding:0cm'><br><b>From: </b>Stian Thorgersen<br><b>Sent: </b>17 December 2015 16:43<br><b>To: </b>Dong Xie<br><b>Cc: </b>keycloak-user@lists.jboss.org<br><b>Subject: </b>Re: [keycloak-user] out of box experiences and automation</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>We will soon remove the built-in admin/admin user account. For the Docker image you will either have to:</span><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>1. Pass the admin username and password with environment variables<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>2. Access via localhost (port forwarding) to create an initial user account<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>That'll be added in 1.8.<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>On 17 December 2015 at 17:05, Dong Xie <<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal>Keycloak is deployed as docker container into cloud, once the container starts, the keycloak server starts, I can’t stop it being called or call the script before the container starts, unless I bother to make a customised docker image, which is not ideal. Since there is no human action involved, no one will reset the admin password via browser, unless you mean I can call REST API to fully setup admin user. Also when I add new user if I add it into master realm it will be as powerful as admin, at least that’s what I observed? Therefore leaving the admin there is only going to be a security hole, and the best practice is to get rid of as fast as I can.<o:p></o:p></p><p class=MsoNormal> </p><p class=MsoNormal>Best,</p><p class=MsoNormal> </p><p class=MsoNormal>Dong</p><p class=MsoNormal> </p><p class=MsoNormal>Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p><p> </p><p> </p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><br><b>From: </b>Stian Thorgersen<br><b>Sent: </b>17 December 2015 15:57</p><div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><br><b>To: </b>Dong Xie<br><b>Cc: </b><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><b>Subject: </b>Re: [keycloak-user] out of box experiences and automation<o:p></o:p></span></p></div></div></div><div><div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>You don't need to restart the server, you can call the script before starting the server in the first place.</span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Why do you need to remove the admin? Do you not need to have at least one admin account on the server.</span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>What do you mean about init access token?</span></p></div></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>On 17 December 2015 at 16:49, Dong Xie <<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>> wrote:</span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal>That’s exactly what I used, so before I can expose the keycloak to the world, I need to get into the node, call the script, restart server, login with the new admin, calling REST api to remove the admin, sounds like a lot of work?</p><p class=MsoNormal> </p><p class=MsoNormal>Can we not config an init access token or something similar to smooth the thing, for our poor DevOps life?</p><p class=MsoNormal> </p><p class=MsoNormal>Any help would be great!</p><p class=MsoNormal> </p><p class=MsoNormal>Best,</p><p class=MsoNormal> </p><p class=MsoNormal>Dong</p><p class=MsoNormal> </p><p class=MsoNormal>Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p><p> </p><p> </p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><br><b>From: </b>Stian Thorgersen<br><b>Sent: </b>17 December 2015 15:41<br><b>To: </b>Dong Xie<br><b>Cc: </b><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><b>Subject: </b>Re: [keycloak-user] out of box experiences and automation</p></div><div><div><p class=MsoNormal> </p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>>From 1.7 you can add a admin user using the add-user script. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136</a></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>On 17 December 2015 at 16:38, Dong Xie <<a href="mailto:xied75@gmail.com" target="_blank">xied75@gmail.com</a>> wrote:</span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal>Dear all,</p><p class=MsoNormal> </p><p class=MsoNormal>I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.</p><p class=MsoNormal> </p><p class=MsoNormal>Thanks very much for your help!</p><p class=MsoNormal> </p><p class=MsoNormal>Best,</p><p class=MsoNormal> </p><p class=MsoNormal>Dong</p><p class=MsoNormal> </p><p class=MsoNormal>Sent from <a href="http://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p></div></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></p></blockquote></div></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><p class=MsoNormal> </p><p class=MsoNormal> </p></div></div></div></div></blockquote></div></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span></p><p class=MsoNormal> </p><p class=MsoNormal> </p></div></div></div></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></span></p></blockquote></div></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>