Re: [keycloak-dev] Reset admin password
On 5/22/2015 11:25 AM, Marek Posolda wrote:
On 22.5.2015 14:56, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 22 May, 2015 2:46:59 PM
>> Subject: [keycloak-dev] Reset admin password
>>
>> We need a way to reset the admin password in case it is lost or
>> hijacked. The proposal is to do that through an operation on the
>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>
>> First, we currently allow you to delete the admin user. Should we
>> disallow that and make the master admin user permanent?
> Interesting question - quick answer, not sure!
>
> There are all sorts of things that can be deleted that'll currently
> screw things up royally! For example deleting admin related roles and
> clients. Created https://issues.jboss.org/browse/KEYCLOAK-1340 for this.
Similar issue pointed some time ago by Petr Mensik from QA team: if
you change SSO session max lifespan timeout for example to 1 second,
you are immediately logged out from admin console and you're not able
to login again (More accurately you are able to login, but you're
logged out immediately due to session timeout).
There are likely bunch of similar things and not sure if we can handle
all of them. Question is if these are not just "theoretic" issues? I
can't remember any user complain on ML that he accidentally broke his
keycloak DB by delete/configure something strange in admin console.
Marek
I think we need to clean these up. You should never be able to do
anything from the UI that renders your system inoperable. It's only a
matter of time before some big customer has a disaster because we let
him do something really stupid.
>
> For admin user maybe rather than a reset admin password option, we
> should have a reset admin account option?
>
>> Should the new operation only work on the master admin password or can
>> it be applied to any user in any realm?
> +1 To just admin
>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev