[keycloak-dev] changes to admin ui login/bootstrap
Bill Burke
bburke at redhat.com
Wed Oct 16 09:22:10 EDT 2013
There are some changes on how Keycloak Admin UI is bootstrapped:
* There is no longer a registration page for the admin ui.
* There is a built in user
username: admin
password: admin
* There is a built in realm "Keycloak Adminstration"
* This realm has a built in application "Admin Console" with one role:
"admin"
* You can add additional users to the "Keycloak Adminstration" realm.
They must add an Admin Consle "admin" role to be able to log into the
admin UI.
Eventually, the bootstrap will require a "password update" for this
built-in "admin" user. There's a bug in the admin UI login on the
server side that I haven't figured out yet. I'll ping the list when this
is ready.
Going forward, the admin REST interfaces/admin UI will *NOT* use the
token service. We can't use the token service out of the box for the
admin UI/REST interfaces because this would require specifying the
Application password for the "Admin Console" and enabling it through the
UI. For usability, IMO, it is best that the user doesn't have to do this.
You will still be able to use the Token Service's OAuth flow to obtain
an access token. The admin REST interface should support bearer token
access, although I haven't written any tests for it yet.
BTW, the "Admin Console" application has a random, large, password
generated for it at bootstrap. A side effect is that this password is
never known. We need to generate a random, unknown password for this to
avoid a security hole and to keep the nice usability. Hope I make sense
here. :)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list