[keycloak-user] export of realm json
Thomas Raehalme
thomas.raehalme at codecenter.fi
Mon Oct 5 14:09:33 EDT 2015
On Oct 5, 2015 21:03, "Stan Silvert" <ssilvert at redhat.com> wrote:
>
> I'm actually starting on the design and implementation of this right
now. It's import/export from the admin console. It will also have the
ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread. They have been very
helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
console. I'm not sure that having a flag for it in keycloak-server.json
helps. To edit keycloak-server.json, you need access to the server, in
which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials? Some
ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?
It'd be helpful if one could use exported realms as a template allowing you
to overwrite some properties such as the realm name when importing. I know
you can do it manually by editing the file which is why I haven't suggested
it earlier. Also allowing you to control with toggles whether to keep or
regenerate keys and secrets would be useful.
Best regards,
Thomas
>
> Stan
>
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>>
>> That's a good point. Having to stop/start the server to generate an
export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>>
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>> On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>>>
>>>>>
>>>>> On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>> >
>>>>> > For security reasons we did not want to have a remote option to
export.
>>>>>
>>>
>>> How about just storing the export as a local file on the server? You'd
need access to the server in order to get the file (making the system
compromised anyways). The change to current behaviour is that you would be
able to trigger the export at will without server restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151005/0ae0a519/attachment.html
More information about the keycloak-user
mailing list