I'm actually starting on the design and implementation of this right now. It's import/export from the admin console. It will also have the ability to import/export partial pieces of a realm such as just users.

Thanks for the comments so far on this thread. They have been very helpful.

We will keep the idea that no secrets should ever be exported from admin console. I'm not sure that having a flag for it in keycloak-server.json helps. To edit keycloak-server.json, you need access to the server, in which case you might as well do the current import/export.

So what do you do after you import a user with no credentials? Some ideas:
* The administrator can reset the password manually.
* The user can do password recovery (if enabled)

An other ideas?

Stan

On 10/5/2015 12:34 PM, Tim Dudgeon wrote:

That's a good point. Having to stop/start the server to generate an export is not ideal.

Tim

On 05/10/2015 11:56, Thomas Raehalme wrote:
On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke@redhat.com> wrote:

On 10/4/2015 5:37 PM, Thomas Raehalme wrote:

On Oct 4, 2015 23:57, "Bill Burke" <bburke@redhat.com
<mailto:bburke@redhat.com>> wrote:
>
> For security reasons we did not want to have a remote option to export.

How about just storing the export as a local file on the server? You'd need access to the server in order to get the file (making the system compromised anyways). The change to current behaviour is that you would be able to trigger the export at will without server restart.

Best regards,

Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user