[SOLVED]: How to Reset Keycloak Admin Password

Table of Contents

Keycloak, an open-source identity and access management solution, provides a comprehensive set of features for securing applications and services. However, situations may arise where you need to reset the admin password due to forgotten credentials or security concerns. In this article, we will discuss on how to reset keycloak admin password, ensuring secure access to your identity management system. Keep in mind, this procedure may wary based on the type of installation you have. In this article, two type of deployment is taken into account, pls read through the other, if one is not working for you

Also Read: Keycloak REST API commands cheat sheet

Reset Admin Password for Keycloak with External DB

Now a days, keycloak are brought up with external Database which stores the keycloak configuration and the users details. This is done in order to make ensure Geo Redundancy for the data stored in the keycloak. Below procedure can be used for such mode of keycloak deployment.

Note: MariaDB is used as the Backend DB for the scope of this article. As most of the below commands are DB queries/commands, if your deployments are using a different DB, modify the sql commands accordingly

Warning: Make sure Backup of the database is taken, as we are modifying the DB directly, and we need to account the chance of DB getting corrupted

Step 1: Identifying the Database

Identify the database used for the keycloak. In my case I'm running a MariaDB instance which have a database created with name keycloakdb . These details can be obtained from the keycloak installation files or configuration

Step 2: Login to the Database

Below command can be used to login to the database, username and password can be obtained from the keycloak installation file or configuration

mysql -u keycloak -p<password> -D keycloakdb

Note: For the scope of this article I'm considering by DB user as keycloak. If you have enabled ssl for your DB, make sure you are passing the ca cert also with the mysql client command

Step3: Find keycloak User Id for Admin User

Below code snippets shows the sql commands to be executed to obtain the user id of the admin user

MariaDB [keycloakdb]> select ID, USERNAME 
-> from USER_ENTITY 
-> where 
-> USERNAME='admin' and 
-> REALM_ID=(select ID from REALM where name='master');
+--------------------------------------+----------+
| ID | USERNAME |
+--------------------------------------+----------+
| fec77989-5dc9-477f-b2da-9e2255f49f32 | admin |
+--------------------------------------+----------+
1 row in set (0.002 sec)

Step4: Check if admin user credentials is present (Optional)

Pass the ID obtained from the previous step to the below command to check if the admin user is having password assigned to it.

MariaDB [keycloakdb]> select * from CREDENTIAL 
-> where USER_ID = 'f73bb649-8f91-4c49-ae41-fdda5f00df44' ;

We will see a record password for the field TYPE, in the above output
We will see fields SECRET_DATA and CREDENTIAL_DATA which contains hashed password (old) and hashing algorithm details

Step5: Reset the credentials

Generate a hashed password pbkdf2-sha256 algorithm with salt key is preferred in the scope of this article, and the number of iterations is 27500. Below script can be used to generate the hashed credentials,

import hashlib
import binascii

# Update the below accordingly
password = "Admin@1234"
provided_salt = "mysaltisthis"

# Convert the salt from base64 to bytes
salt = binascii.a2b_base64(provided_salt)

# Number of iterations for PBKDF2
hash_iterations = 27500

# Hash the password using PBKDF2-SHA256
hashed_password = hashlib.pbkdf2_hmac('sha256', password.encode('utf-8'), salt, hash_iterations)

# Convert the hash to a base64-encoded string
hashed_password_base64 = binascii.b2a_base64(hashed_password).decode('utf-8').strip()

print("Hashed password:", hashed_password_base64)

Update the salt, hashed password, and user id in the below sql command and execute using mysql client

 update CREDENTIAL SET
SECRET_DATA='{"value":"5mHhBK7xttcOd7Vu5quSk5Ytj/k6EL0iADPBNzS0H7g=","salt":"mysaltisthis","additionalParameters":{}}',
CREDENTIAL_DATA='{"hashIterations":27500,"algorithm":"pbkdf2-sha256","additionalParameters":{}}'
WHERE USER_ID = 'fec77989-5dc9-477f-b2da-9e2255f49f32' ;

commit;

Step6: Restart keycloak instances

Post the credentials is updated in DB, restart all the keycloak instances, the method of restarting varies based on the type of deployment, pls follow the respective deployment documentation.

Reset Admin Password for Keycloak Running as Service

Below procedure can be followed to reset admin password for keycloak

Step 1: Accessing the Keycloak Server

To begin the process, you need access to the Keycloak server. This could be through direct access to the server machine or via a remote connection, depending on your setup.

Step 2: Stopping Keycloak

Before making any changes, it's recommended to stop the Keycloak server to avoid potential conflicts. This can usually be done using the following command:

systemctl stop keycloak

Step 3: Accessing the Keycloak Configuration

Navigate to the Keycloak installation directory. The exact location might vary depending on your setup and installation method. Look for a folder named something like "keycloak" or "keycloak-X.Y.Z" (where X.Y.Z represents the version number).

cd /path/to/keycloak

Step 4: Editing the Standalone XML Configuration

In the Keycloak installation directory, find the standalone/configuration/standalone.xml file. This file contains the configuration settings for keycloak.

Open standalone.xml using a text editor of your choice, such as nano, vim or vi.

Step 5: Modifying the Admin User’s Credentials

Within the standalone.xml file, locate the <admin-users> section. You will find a line that resembles the following.

<users>
    <user ..>
      ...
    </user>
</users>

Find the <user> element representing the admin user. It typically has an attribute username="admin".

Edit the password attribute of the admin user's <user> element. Replace the existing encrypted password with a new encrypted password. The easiest way to generate an encrypted password is by using a utility like openssl or any online encryption tool

Step 6: Saving Changes

After updating the password, save the changes to the standalone.xml file and close the text editor.

Step 7: Starting Keycloak

Now that you've successfully updated the admin user's password, it's time to start Keycloak again.

systemctl start keycloak

Step 8: Accessing the Admin Console

With the admin password reset, you can now access the Keycloak admin console using the new credentials

Step 9: Updating the Password

Upon logging in, Keycloak might prompt you to update the password. Follow the instructions to set a new password that meets your security requirements.

Conclusion

Resetting the admin password of Keycloak is a crucial step in maintaining the security and accessibility of your identity and access management system. By following the steps outlined in this guide, you can ensure that you regain access to the admin console while also adhering to best practices for securing sensitive information. Always exercise caution when modifying configuration files, and make sure to follow security protocols to prevent unauthorized access.

Reset Admin Password for Keycloak with External DB

Step 1: Identifying the Database

Step 2: Login to the Database

Step3: Find keycloak User Id for Admin User

Step4: Check if admin user credentials is present (Optional)

Step5: Reset the credentials

Step6: Restart keycloak instances

Reset Admin Password for Keycloak Running as Service

Step 1: Accessing the Keycloak Server

Step 2: Stopping Keycloak

Step 3: Accessing the Keycloak Configuration

Step 4: Editing the Standalone XML Configuration

Step 5: Modifying the Admin User’s Credentials

Step 6: Saving Changes

Step 7: Starting Keycloak

Step 8: Accessing the Admin Console

Step 9: Updating the Password

Conclusion

Leave a Comment Cancel reply