[keycloak-dev] Reset admin password
Stan Silvert
ssilvert at redhat.com
Fri May 22 18:20:34 EDT 2015
On 5/22/2015 3:17 PM, Bill Burke wrote:
>
> On 5/22/2015 12:22 PM, Marek Posolda wrote:
>> On 22.5.2015 17:39, Stan Silvert wrote:
>>> On 5/22/2015 11:25 AM, Marek Posolda wrote:
>>>> On 22.5.2015 14:56, Stian Thorgersen wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Sent: Friday, 22 May, 2015 2:46:59 PM
>>>>>> Subject: [keycloak-dev] Reset admin password
>>>>>>
>>>>>> We need a way to reset the admin password in case it is lost or
>>>>>> hijacked. The proposal is to do that through an operation on the
>>>>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
>>>>>>
>>>>>> First, we currently allow you to delete the admin user. Should we
>>>>>> disallow that and make the master admin user permanent?
>>>>> Interesting question - quick answer, not sure!
>>>>>
>>>>> There are all sorts of things that can be deleted that'll currently
>>>>> screw things up royally! For example deleting admin related roles
>>>>> and clients. Created https://issues.jboss.org/browse/KEYCLOAK-1340
>>>>> for this.
>>>> Similar issue pointed some time ago by Petr Mensik from QA team: if
>>>> you change SSO session max lifespan timeout for example to 1 second,
>>>> you are immediately logged out from admin console and you're not able
>>>> to login again (More accurately you are able to login, but you're
>>>> logged out immediately due to session timeout).
>>>>
>>>> There are likely bunch of similar things and not sure if we can
>>>> handle all of them. Question is if these are not just "theoretic"
>>>> issues? I can't remember any user complain on ML that he accidentally
>>>> broke his keycloak DB by delete/configure something strange in admin
>>>> console.
>>>>
>>>> Marek
>>> I think we need to clean these up. You should never be able to do
>>> anything from the UI that renders your system inoperable. It's only
>>> a matter of time before some big customer has a disaster because we
>>> let him do something really stupid.
>> Probably yes. However people can possibly fix it by edit DB directly or
>> recover their DB (assuming big customer will do DB backup).
>>
>> But I agree, we can always be a bit resistent against those issues. And
>> hopefully CLI could help as well to recover from those. I've created
>> https://issues.jboss.org/browse/KEYCLOAK-1341 for 1-second timeout issue.
>>
> There's actually better ways to accomplish this:
> a) credential reset via email
> b) credential reset via SMS
> c) credential reset via "what is your mother's maiden name"
> d) one or more of the above.
>
> As Marek said, worst case workaround is to write the database record
> directly. This whole talk of adding a reset password to CLI makes me
> very nervous as then our security is only as good as Wildfly's CLI security.
>
This operation only works in CLI offline mode. You need access to the
file system. So you are relying on the security of the box itself.
I'll leave it to others to decide if password recovery is sufficient.
More information about the keycloak-dev
mailing list