Potential Admin Console Lockout for Bootstrap Admin on Keycloak 26

leretap265 · February 17, 2025, 9:09am

I just noticed that when using Keycloak version 26, I am only able to create the bootstrap admin on initial startup (i.e. when the master realm does not exist).

For security, we routinely wipe the entire admin accounts in the master realm (by performing a cascading delete on PostgreSQL). But the problem is that the admin credentials are not recreated on startup (bootstrap or otherwise), leading to an admin console lockout.

We actually had to downgrade to version 25.0.6, and are using this in the configuration:

KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}

Potential Solution:

The admin bootstrap also works when there are no admin accounts (not just when the master realm is initially created).
An additional configuration option KC_BOOTSTRAP_ADMIN_EXPIRY, which sets when the admin credentials automatically get deleted (instead of having to do it manually). It could have a default of 1 hour.

I would appreciate feedback on this, thank you.

Topic		Replies	Views
New instance of Keycloak Tips and tricks admin-console	1	44	December 27, 2024
Bootstrap-admin acc not recognized with external db Configuring the server	1	61	February 17, 2025
Reset master admin password Getting advice admin-console	2	1217	February 19, 2023
Unable to create a temporary admin user Configuring the server admin-console	7	2616	December 1, 2024
Main admin account can't be recreated using env variable if it was previously deleted Configuring the server	2	2755	December 20, 2023

Potential Admin Console Lockout for Bootstrap Admin on Keycloak 26

Related topics