Narrative

RH-SSO (WildFly distribution of Keycloak) supported adding users via CLI which also effectively allowed recovering a lost access to the admin user in master Realm. This is currently missing from the RHBK.

RHBK currently supports only creation of the initial admin users if it does not exist already. This is currently possible via RHBK Welcome Screen (if accessed via localhost) or by setting dedicated environmental variables prior to starting the server.

Creating a user via environmental variables is also considered problematic as we don't enforce changing the credentials after first login. Using the Welcome Page is also not straightforward in OpenShift environment due to the requirement of accessing it via localhost.

Even though this is essentially two issues, they are closely related. Before implementing recovery functionality, we should reconsider how the initial admin is created in the first place.
 

Value Proposition

Allow customers to create and recover initial admin user in a secure and user friendly way.
 

Acceptance Criteria

• Improved security for bootstrapping the initial admin user. RHBK should OOTB prevent users from accessing or even using the initial admin credentials after the initial installation phase of the server.
• Ability to recover access to initial admin user in master realm.
• Good UX for both bare metal, containers and Operator deployments.