Login/Register
Keycloak lost admin password
Asked Answered
Solved keycloak
L

9

12

I have a local test installation of keycloak 12 and unfortunately I've lost the admin password, any idea on how to reset it or reset the keycloak configuration without losing the realms ?

I already used add-user cli command to add a user but even with that one I can't access

Lofty answered 31/8, 2021 at 14:56 Comment(3)
is this the command you tried? sudo -u keycloak ./bin/add-user-keycloak.sh --user YourUser --password YourNewPass --realm YourRealmCorvette
Yes, but I didn't pass the realm since I don't know which one is. I try with Master and master without success return an error saying realm don't exists. Without Realm the account is created but I can't login.Lofty
oh I think you need to know your realm, might not be possible otherwiseCorvette
B
0
  1. Run h2database console:
java -cp ./modules/system/layers/base/com/h2database/h2/main/h2-1.4.197.jar org.h2.tools.Console -url "jdbc:h2:./standalone/data/keycloak;AUTO_SERVER=TRUE" -user sa -password sa

    delete from credential where user_id = '<user-id>';
    delete from user_role_mapping where user_id = '<user-id>';
    delete from user_entity where id = '<user-id>';
  1. Run add-user
  • create admin user (user exist so i only change password)
  1. Run keycloak
  2. start localhost:8080/auth/
  • keycloak asked me to create admin user
Biron answered 9/6 at 23:43 Comment(0)
C
18

For me, I had to find the user in the user_entity table. Then delete rows in related tables. After this, I restarted the pod, and the admin user login became the one passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD.

Find the user id

select * from user_entity

Delete rows

delete from credential where user_id = '<user-id>';
delete from user_role_mapping where user_id = '<user-id>';
delete from user_entity where id = '<user-id>';
Calling answered 22/11, 2022 at 22:12 Comment(4)
Also needed to run delete from user_required_action where user_id = 'user_id';Seigneur
In my case admin user was not reset even though i did the same. And even worse, at that time i can't know the admin role because i deleted it. i have no other choice to do. i would rather give another man or woman the admin role by changing db.Claret
For keycloak 23, I had to follow @ayan-bikalapov 's recommendation and also run: update user_entity set realm_id='banana' where realm_id='<master realm id>';Findlay
For me, I also need delete from user_attribute where user_id = '<user-id>';Astera
P
11

The Keycloak's admin user is created only during the first initialization of the container image. Once it's created, the environment variable KEYCLOAK_PASSWORD has no effect. When restarting the pod you can see in the initialization logs:

16:16:35,881 WARN  [org.keycloak.services] (ServerService Thread Pool -- 62) KC-SERVICES0104: Not creating user admin. It already exists.

To create a new admin user you should delete the current one in the database. Or just change the admin username to admin_bkp if you prefer. After this, just restart the container and the admin user is created again.

Connect to the database

$ kubectl exec -it keycloak-database-bd94f668c-rvmbt -- bashbash-5.1$ psql $ keycloak -U postgre -W

Delete or update the current admin user:

psql (12.10)
Type "help" for help.
keycloak=# update  user_entity set "username"='admin_bkp' where "username"='admin';
UPDATE 1

Delete the application pod

$ kubectl delete pod keycloak-database-bd94f668c-rvmbt

Now you should be able to log in using the admin user passed through the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD

Parfitt answered 28/2, 2022 at 16:22 Comment(3)
kubectl exec -it KEYCLOAK_DB_POD -- bash -c "psql keycloak -U postgres -W"Flyfish
If you want to do it cleaner, you have to also delete related records in tables "credentials" and "user_role_mapping"Rosiarosicrucian
this is slick!! THANK YOUPhosphor
C
7

If you are using Keycloak Docker image, you can get admin crendential using docker inspect:

docker inspect <keycloak_container_id>

then search for Config > Env, you will find KEYCLOAK_USER and KEYCLOAK_PASSWORD.

Chyou answered 19/12, 2021 at 17:8 Comment(2)
Caveat with this is that if you've changed the password, Keycloak won't reset it to what's in KEYCLOAK_PASSWORD.Stretcherbearer
dont know but worked for me.Mender
W
5

When Keycloak starts up there's a check here that simply looks if there are any users in the master realm: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java#L113

So if you've moved your admin user but kept the realm_id linked to master it won't start.

The solution I've used to recreate the admin user with a new password is to temporarily move all users in the master realm to a bogus realm, restart the service and then move the users back.

ex: update user_entity set realm_id='banana' where realm_id='<master realm id>';

Willi answered 8/5 at 16:59 Comment(1)
We upgraded from keycloak 23.0.x to 24.0.x and hit this problem, this solution worked perfect!!!Brawley
S
1

I have tried the solutions given in the answers above but still not getting it, thanks to the previous answers, though. I arrived at the following workaround: promoting an existing user to admin

Keycloak is configured with MySQL,

Before I deleted the admin entries, I noticed a listing for role-mappings:

select * from user_role_mapping;
ROLE_ID USER_ID
43d3c162-f9c1-48d1-ac76-e8b231bdcfa5 333b12de-2463-4a3b-819e-1b72a5769523
e1779c28-b09f-4fda-8795-e76598004563 333b12de-2463-4a3b-819e-1b72a5769523
43d3c162-f9c1-48d1-ac76-e8b231bdcfa5 c4576081-e20d-473b-93ff-f43068fee722
a5c63fd3-20de-4596-9ed7-cea440d29384 c4576081-e20d-473b-93ff-f43068fee722

The last two USER_ID's (c4576081-e20d-473b-93ff-f43068fee722) refer to the admin's. The last ROLE_ID a5c63fd3-20de-4596-9ed7-cea440d29384 is the admin role, so I create an entry for the user 333b12de-2463-4a3b-819e-1b72a5769523 like so:

insert into user_role_mapping (ROLE_ID, USER_ID) values("a5c63fd3-20de-4596-9ed7-cea440d29384", "333b12de-2463-4a3b-819e-1b72a5769523");

I then log in with the username of the promoted user, I find server state intact, including my registered clients.

Other reference: Recommendation from Keycloak Discourse Community

Best regards

Simla answered 17/12, 2023 at 4:28 Comment(0)
B
0
  1. Run h2database console:
java -cp ./modules/system/layers/base/com/h2database/h2/main/h2-1.4.197.jar org.h2.tools.Console -url "jdbc:h2:./standalone/data/keycloak;AUTO_SERVER=TRUE" -user sa -password sa

    delete from credential where user_id = '<user-id>';
    delete from user_role_mapping where user_id = '<user-id>';
    delete from user_entity where id = '<user-id>';
  1. Run add-user
  • create admin user (user exist so i only change password)
  1. Run keycloak
  2. start localhost:8080/auth/
  • keycloak asked me to create admin user
Biron answered 9/6 at 23:43 Comment(0)
E
0

For Keycloak v24+, you'll need to remove the admin account and temporarily reassign the other master realm users to a fake realm using database queries.

For Microsoft SQL Server, this script works:

declare @adminId varchar(36);
set @adminId = (select ID from user_entity where USERNAME = 'admin');
delete from credential where user_id = @adminId;
delete from user_role_mapping where user_id = @adminId;
delete from user_required_action where user_id = @adminId;
delete from user_entity where id = @adminId;

declare @masterRealmId varchar(36);
set @masterRealmId = (select id from realm where realm.name = 'master');
update user_entity set realm_id='banana' from user_entity where realm_id = @masterRealmId;

After doing that you'll need to restart keycloak while providing the admin account environment variables:

KEYCLOAK_ADMIN=
KEYCLOAK_ADMIN_PASSWORD=

Then finally assign the master realm users back to the realm:

declare @masterRealmId varchar(36);
set @masterRealmId = (select id from realm where realm.name = 'master');
update user_entity set realm_id=@masterRealmId where realm_id = 'banana';

Link to my GitHub gist.

Erato answered 18/7 at 19:48 Comment(0)
V
0

Updating from v23 to v25 broke admin user. This is on docker keycloak with postgresql.

To trigger recreating the admin user the process is very similar to carlin.scotts answer:

Delete current admin user:

DELETE FROM credential where user_id='admin_user_id';
DELETE FROM user_role_mapping where user_id='admin_user_id';
DELETE FROM user_required_action where user_id='admin_user_id';
DELETE FROM user_attribute where user_id='admin_user_id'
DELETE FROM user_entity where id='admin_user_id';

Move master realm users to dummy realm:

update user_entity set realm_id = 'dummy' where realm_id='master_realm_id';

Restart keycloak - this will trigger the admin user recreation.

Check user_entity table for the new admin user

Move dummy realm users back to the master realm:

UPDATE user_entity SET realm_id = 'master_realm_id' WHERE realm_id='dummy';
Vershen answered 29/7 at 9:56 Comment(0)
I
0

In my case, since there were multiple admin accounts, I had to remove all accounts with REALM_ID='master'.

DELETE FROM CREDENTIAL WHERE USER_ID IN (SELECT id FROM USER_ENTITY WHERE REALM_ID = 'master');
DELETE FROM USER_ROLE_MAPPING WHERE USER_ID IN (SELECT id FROM USER_ENTITY WHERE REALM_ID = 'master');
DELETE FROM USER_ATTRIBUTE WHERE USER_ID IN (SELECT id FROM USER_ENTITY WHERE REALM_ID = 'master');
DELETE FROM USER_ENTITY WHERE REALM_ID = 'master';

Deleting only admin account produced an error on startup [org.keycloak.services] (main) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists regardless of the fact there was no admin account anymore.

Itinerant answered 7/8 at 12:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.