From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 22 May, 2015 3:06:13 PM
Subject: Re: [keycloak-dev] Reset admin password
On 5/22/2015 8:56 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 22 May, 2015 2:46:59 PM
>> Subject: [keycloak-dev] Reset admin password
>>
>> We need a way to reset the admin password in case it is lost or
>> hijacked. The proposal is to do that through an operation on the
>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>
>> First, we currently allow you to delete the admin user. Should we
>> disallow that and make the master admin user permanent?
> Interesting question - quick answer, not sure!
>
> There are all sorts of things that can be deleted that'll currently screw
> things up royally! For example deleting admin related roles and clients.
> Created
https://issues.jboss.org/browse/KEYCLOAK-1340 for this.
>
> For admin user maybe rather than a reset admin password option, we should
> have a reset admin account option?
Depends on what "reset admin account" actually does. I wouldn't want a
"reset admin account" to change things that the user put there on
purpose. If you can reset the password and get into the account then
you can go into the UI and change anything that doesn't look right.
How about "recover admin account" that:
1. If user 'admin' in realm 'master' doesn't exist create it
2. If user 'admin' doesn't have realm role 'admin' add it
3. Set user 'admin' password to either 'admin' or to specified password
>
>> Should the new operation only work on the master admin password or can
>> it be applied to any user in any realm?
> +1 To just admin
>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>