[keycloak-dev] Reset admin password

Marek Posolda mposolda at redhat.com
Fri May 22 12:22:53 EDT 2015


On 22.5.2015 17:39, Stan Silvert wrote:
> On 5/22/2015 11:25 AM, Marek Posolda wrote:
>> On 22.5.2015 14:56, Stian Thorgersen wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>>> Subject: [keycloak-dev] Reset admin password
>>>>
>>>> We need a way to reset the admin password in case it is lost or
>>>> hijacked.  The proposal is to do that through an operation on the
>>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>>>
>>>> First, we currently allow you to delete the admin user. Should we
>>>> disallow that and make the master admin user permanent?
>>> Interesting question - quick answer, not sure!
>>>
>>> There are all sorts of things that can be deleted that'll currently 
>>> screw things up royally! For example deleting admin related roles 
>>> and clients. Created https://issues.jboss.org/browse/KEYCLOAK-1340 
>>> for this.
>> Similar issue pointed some time ago by Petr Mensik from QA team: if 
>> you change SSO session max lifespan timeout for example to 1 second, 
>> you are immediately logged out from admin console and you're not able 
>> to login again (More accurately you are able to login, but you're 
>> logged out immediately due to session timeout).
>>
>> There are likely bunch of similar things and not sure if we can 
>> handle all of them. Question is if these are not just "theoretic" 
>> issues? I can't remember any user complain on ML that he accidentally 
>> broke his keycloak DB by delete/configure something strange in admin 
>> console.
>>
>> Marek
> I think we need to clean these up.  You should never be able to do 
> anything from the UI that renders your system inoperable.   It's only 
> a matter of time before some big customer has a disaster because we 
> let him do something really stupid.
Probably yes. However people can possibly fix it by edit DB directly or 
recover their DB (assuming big customer will do DB backup).

But I agree, we can always be a bit resistent against those issues. And 
hopefully CLI could help as well to recover from those. I've created 
https://issues.jboss.org/browse/KEYCLOAK-1341 for 1-second timeout issue.

Marek
>>>
>>> For admin user maybe rather than a reset admin password option, we 
>>> should have a reset admin account option?
>>>
>>>> Should the new operation only work on the master admin password or can
>>>> it be applied to any user in any realm?
>>> +1 To just admin
>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>



More information about the keycloak-dev mailing list