[keycloak-user] Admin's password override

Stian Thorgersen stian at redhat.com
Wed Mar 18 00:07:49 EDT 2015



----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 5:51:30 PM
> Subject: [keycloak-user] Admin's password override
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> While it makes sense to ship with a default password for the admin
> user on Keycloak distributions, as it's reasonable to think that the
> admin is going to explore Keycloak right away, this expectation is not
> true for the situation where Keycloak is embedded into another
> product. I can imagine that the first time an "admin" will need to log
> into Keycloak's admin console when embedded into another product would
> be days/weeks after the initial setup.
> 
> That said, I'm collecting ideas on how to solve this issue for
> Hawkular. The first and most intuitive solution I can think of is to
> import an users JSON file on the first boot, which would (in theory, I
> haven't tested) override the password for admin. This password would
> need to be stored in clear text somewhere in the system, but I believe
> the pros/cons are worth on this scenario (as this password will be
> valid only until the first login, so, days/weeks "only").
> 
> Do you have better ideas? Or feedback on whether the mentioned
> approach would/wouldn't work? Or strong arguments against doing that?

Sounds a bit hackish to me ;)

Why not just use the same user for the Hawkular admin console? That way they'll change the password when they login to Hawkular for the first time.

An alternative is that we need to support a way to recover the admin password if it's lost. Would be a script or something that can only be used locally. With that you could just set the Keycloak admin password to something random.

> 
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJVCFuSAAoJEDnJtskdmzLMAWkH/juBqh3DlgQXPjU5CNubRzvI
> yst+2RhbESlMBxtcB+zXKLONbaiGOhdxdoAvg6qIq69WYZyYzYHEOFPMBLdZiN5D
> TZnNaGrBfsoJoMPmkNIs4YTJal8Gf3BRXrnRVjfIRI6D8TUpf+yVVEtd6/eGlajX
> tjTFWk7RgxmaNqPIaiBQONg1Ycx1GfE2NjSIo0CXcb13xix1Z/T2XzufTj8zGQru
> YiToATcX1kM27E3SgUax52pD9CtnQFrfkh7EeZsVciMM8yB/Fw0BAqSVxpBwza9b
> a7T5uynnk4AXxm4ZLFiclkqywgRpeeNpuhUngX1+02S8KlialFe+58CtXhjRPYs=
> =eea0
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



More information about the keycloak-user mailing list