[keycloak-dev] Reset admin password

Stan Silvert ssilvert at redhat.com
Fri May 22 11:20:22 EDT 2015


On 5/22/2015 9:56 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 22 May, 2015 3:06:13 PM
>> Subject: Re: [keycloak-dev] Reset admin password
>>
>> On 5/22/2015 8:56 AM, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>>> Subject: [keycloak-dev] Reset admin password
>>>>
>>>> We need a way to reset the admin password in case it is lost or
>>>> hijacked.  The proposal is to do that through an operation on the
>>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>>>
>>>> First, we currently allow you to delete the admin user.  Should we
>>>> disallow that and make the master admin user permanent?
>>> Interesting question - quick answer, not sure!
>>>
>>> There are all sorts of things that can be deleted that'll currently screw
>>> things up royally! For example deleting admin related roles and clients.
>>> Created https://issues.jboss.org/browse/KEYCLOAK-1340 for this.
>>>
>>> For admin user maybe rather than a reset admin password option, we should
>>> have a reset admin account option?
>> Depends on what "reset admin account" actually does.  I wouldn't want a
>> "reset admin account" to change things that the user put there on
>> purpose.  If you can reset the password and get into the account then
>> you can go into the UI and change anything that doesn't look right.
> How about "recover admin account" that:
>
> 1. If user 'admin' in realm 'master' doesn't exist create it
> 2. If user 'admin' doesn't have realm role 'admin' add it
> 3. Set user 'admin' password to either 'admin' or to specified password
Sounds good.  Let's do that.
>
>>>> Should the new operation only work on the master admin password or can
>>>> it be applied to any user in any realm?
>>> +1 To just admin
>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>



More information about the keycloak-dev mailing list