----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 22 May, 2015 9:17:42 PM
Subject: Re: [keycloak-dev] Reset admin password
On 5/22/2015 12:22 PM, Marek Posolda wrote:
> On 22.5.2015 17:39, Stan Silvert wrote:
>> On 5/22/2015 11:25 AM, Marek Posolda wrote:
>>> On 22.5.2015 14:56, Stian Thorgersen wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>>>> Subject: [keycloak-dev] Reset admin password
>>>>>
>>>>> We need a way to reset the admin password in case it is lost or
>>>>> hijacked. The proposal is to do that through an operation on the
>>>>> keycloak-server-subsystem that only runs in "offline CLI"
mode.
>>>>>
>>>>> First, we currently allow you to delete the admin user. Should we
>>>>> disallow that and make the master admin user permanent?
>>>> Interesting question - quick answer, not sure!
>>>>
>>>> There are all sorts of things that can be deleted that'll currently
>>>> screw things up royally! For example deleting admin related roles
>>>> and clients. Created
https://issues.jboss.org/browse/KEYCLOAK-1340
>>>> for this.
>>> Similar issue pointed some time ago by Petr Mensik from QA team: if
>>> you change SSO session max lifespan timeout for example to 1 second,
>>> you are immediately logged out from admin console and you're not able
>>> to login again (More accurately you are able to login, but you're
>>> logged out immediately due to session timeout).
>>>
>>> There are likely bunch of similar things and not sure if we can
>>> handle all of them. Question is if these are not just "theoretic"
>>> issues? I can't remember any user complain on ML that he accidentally
>>> broke his keycloak DB by delete/configure something strange in admin
>>> console.
>>>
>>> Marek
>> I think we need to clean these up. You should never be able to do
>> anything from the UI that renders your system inoperable. It's only
>> a matter of time before some big customer has a disaster because we
>> let him do something really stupid.
> Probably yes. However people can possibly fix it by edit DB directly or
> recover their DB (assuming big customer will do DB backup).
>
> But I agree, we can always be a bit resistent against those issues. And
> hopefully CLI could help as well to recover from those. I've created
>
https://issues.jboss.org/browse/KEYCLOAK-1341 for 1-second timeout issue.
>
There's actually better ways to accomplish this:
a) credential reset via email
b) credential reset via SMS
c) credential reset via "what is your mother's maiden name"
d) one or more of the above.
We already have a and b, but those require email and sms to be configured. By the way have
you seen
http://googleonlinesecurity.blogspot.no/2015/05/new-research-some-tough-q...
- apparently security questions are rubbish ;)
As Marek said, worst case workaround is to write the database record
directly. This whole talk of adding a reset password to CLI makes me
very nervous as then our security is only as good as Wildfly's CLI security.
It's a pretty tough job to reset a password by writing directly to the db, especially
as the password needs to be hashed.
IMO we just need to make sure the user is local to the box for these operations. Only
accessible in offline + locale use of cli.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev