[keycloak-dev] Reset admin password
Stan Silvert
ssilvert at redhat.com
Fri May 22 11:39:51 EDT 2015
On 5/22/2015 11:25 AM, Marek Posolda wrote:
> On 22.5.2015 14:56, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>> Subject: [keycloak-dev] Reset admin password
>>>
>>> We need a way to reset the admin password in case it is lost or
>>> hijacked. The proposal is to do that through an operation on the
>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>>
>>> First, we currently allow you to delete the admin user. Should we
>>> disallow that and make the master admin user permanent?
>> Interesting question - quick answer, not sure!
>>
>> There are all sorts of things that can be deleted that'll currently
>> screw things up royally! For example deleting admin related roles and
>> clients. Created https://issues.jboss.org/browse/KEYCLOAK-1340 for this.
> Similar issue pointed some time ago by Petr Mensik from QA team: if
> you change SSO session max lifespan timeout for example to 1 second,
> you are immediately logged out from admin console and you're not able
> to login again (More accurately you are able to login, but you're
> logged out immediately due to session timeout).
>
> There are likely bunch of similar things and not sure if we can handle
> all of them. Question is if these are not just "theoretic" issues? I
> can't remember any user complain on ML that he accidentally broke his
> keycloak DB by delete/configure something strange in admin console.
>
> Marek
I think we need to clean these up. You should never be able to do
anything from the UI that renders your system inoperable. It's only a
matter of time before some big customer has a disaster because we let
him do something really stupid.
>>
>> For admin user maybe rather than a reset admin password option, we
>> should have a reset admin account option?
>>
>>> Should the new operation only work on the master admin password or can
>>> it be applied to any user in any realm?
>> +1 To just admin
>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list