[keycloak-user] export of realm json

Bill Burke bburke at redhat.com
Mon Oct 5 14:24:37 EDT 2015


I'm still averse to allowing export from admin console of any 
credentials or private keys.

On 10/5/2015 2:02 PM, Stan Silvert wrote:
> I'm actually starting on the design and implementation of this right
> now.  It's import/export from the admin console.  It will also have the
> ability to import/export partial pieces of a realm such as just users.
>
> Thanks for the comments so far on this thread.  They have been very helpful.
>
> We will keep the idea that no secrets should ever be exported from admin
> console.  I'm not sure that having a flag for it in keycloak-server.json
> helps.  To edit keycloak-server.json, you need access to the server, in
> which case you might as well do the current import/export.
>
> So what do you do after you import a user with no credentials? Some ideas:
> * The administrator can reset the password manually.
> * The user can do password recovery (if enabled)
>
> An other ideas?
>
> Stan
>
> On 10/5/2015 12:34 PM, Tim Dudgeon wrote:
>> That's a good point. Having to stop/start the server to generate an
>> export is not ideal.
>>
>> Tim
>>
>> On 05/10/2015 11:56, Thomas Raehalme wrote:
>>>
>>>
>>> On Mon, Oct 5, 2015 at 2:47 AM, Bill Burke <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     On 10/4/2015 5:37 PM, Thomas Raehalme wrote:
>>>
>>>
>>>         On Oct 4, 2015 23:57, "Bill Burke" <bburke at redhat.com
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>          >
>>>          > For security reasons we did not want to have a remote
>>>         option to export.
>>>
>>>
>>> How about just storing the export as a local file on the server?
>>> You'd need access to the server in order to get the file (making the
>>> system compromised anyways). The change to current behaviour is that
>>> you would be able to trigger the export at will without server restart.
>>>
>>> Best regards,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list