.env.sample

@@ -5,7 +5,9 @@ DOMAIN=keycloak.example.com
 #EXTRA_DOMAINS=', `www.keycloak.example.com`'
 LETS_ENCRYPT_ENV=production
 
-ADMIN_USERNAME=admin
+BOOTSTRAP_PASSWORD=  # temporary admin password
+ADMIN_USERNAME=admin # permanent admin username
+ADMIN_EMAIL=         # permanent admin email
 WELCOME_THEME=keycloak
 
 COMPOSE_FILE="compose.yml"

README.md

@@ -20,24 +20,29 @@
 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`). Make sure to note the `admin_password` which is needed for initial setup.
+   to save secrets in `pass`). Make sure to note the `admin_password`
 4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
 5. `abra app deploy YOURAPPDOMAIN`
+6. Proceed with replacing the temporary admin user
 
 ## Replacing the temporary admin user
 
-When you first deploy Keycloak, you will login in as a temporary admin user with the username "admin" and a random password generated in step 3 above. You need to create a real admin user and delete the temp admin user, because the temp admin user has no 2FA and its password is stored in plain text on the server, which is insecure. Here's how to create the real admin user:
+The inital user created by Keycloak, is a bootstrap user whose password is stored in plain text on the server. This recipe assigns that user the name "admin_bootstrap" and the password $BOOTSTRAP_PASSWORD set by `abra app config YOURAPDOMAIN`
 
-1. Click "Users" then "Add user"
-2. For "required user actions", I recommend setting "Configure OTP" and "Update Password" to ensure 2FA is enabled.
-3. Set a username, then click "Create"
-5. Go to the "Role Mapping" tab and click "Assign role"
-6. Change the filter from "Filter by clients" to "Filter by realm roles". Select the box for "role_admin" and click "Assign". This makes the user become an admin.
-7. Go to the "Credentials" tab. Click "Set password". Set it to something random and save it for the next step. Leave "Temporary" enabled so the user has to change the password on first login.
-8. If this is an admin account for you, then log out and back in as the new admin user and complete the password change and OTP steps. If this is an admin account for someone else, securely send the initial username and password to the user. They must complete the password change and OTP setup when they first log in.
+Running `abra app command YOURAPPDOMAIN app init_kc` replaces this bootstrap admin with a permanent admin user whose username is $ADMIN_USERNAME and whose password is the secret generated in step 3 above. This will also delete the temporary admin user.
 
-Once at least one real admin user is set up, you should then delete the temporary "admin" user.
+It is recommended to also set up MFA for this account from the web admin panel. Log in to the account, select manage account, select account security/signing in, and enable two factor authentication.
+
+## Running Commands in Keycloak's Admin CLI
+
+To authenticate a session to Keycloak's admin API run:
+`abra app command YOURAPPDOMAIN app login_kcadm`
+
+After this you can run any Admin CLI command via the run_kcadm command. An example, which creates a "sandbox" realm:
+`abra app command YOURAPPDOMAIN app run_kcadm "'create realms -s realm=sandbox -s displayName=sandbox -s enabled=true'"`
+
+[Keycloak Admin CLI documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#admin-cli) has more info on running kcadm commands
 
 ## How do I setup a custom theme?
 

abra.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+run_kcadm() {
+    bin/sh -c "/opt/keycloak/bin/kcadm.sh $@"
+}
+
+login_kcadm() {
+    export KC_CLI_PASSWORD=$(cat /run/secrets/admin_password)
+    run_kcadm "config credentials --server http://localhost:8080 --realm master --user ${ADMIN_USERNAME}"
+}
+
+init_kc() {
+    run_kcadm "config credentials --server http://localhost:8080 --realm master --user admin_bootstrap --password ${BOOTSTRAP_PASSWORD}"
+    # CREATE NEW ADMIN USER
+    ADMIN_PW=$(cat /run/secrets/admin_password)
+    run_kcadm "create users -r master -s username=${ADMIN_USERNAME} -s email='${ADMIN_EMAIL}' -s emailVerified=true -s enabled=true"
+    run_kcadm "set-password -r master --username ${ADMIN_USERNAME} --new-password ${ADMIN_PW}"
+    run_kcadm "add-roles --uusername ${ADMIN_USERNAME} --rolename admin"
+
+    export KC_CLI_PASSWORD="$ADMIN_PW"
+    # AUTHENTICATE WITH NEW ADMIN USER
+    run_kcadm "config credentials --server http://localhost:8080 --realm master --user admin"
+    # DEMOTE BOOTSTRAP ADMIN IN CASE WE CAN'T DELETE
+    run_kcadm "remove-roles -r master --uusername ${KEYCLOAK_ADMIN} --rolename admin --rolename default-roles-master"
+    # JSON MUNGING
+    BOOTSTRAP_ID=$(run_kcadm "get users -q username=admin_bootstrap --limit 1 --fields id | grep id | cut -d : -f2 | tr -d [:space:]")
+    run_kcadm "delete -r master users/${BOOTSTRAP_ID}"
+}

compose.yml

@@ -2,7 +2,7 @@ services:
   app:
     image: "keycloak/keycloak:26.5.4"
     entrypoint: >
-      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
+      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$BOOTSTRAP_PASSWORD\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
       - proxy
       - internal
@@ -16,7 +16,8 @@ services:
       - KC_HOSTNAME=https://${DOMAIN}
       - KC_PROXY=edge
       - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
-      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
+      # admin_bootstrap will be superceded by $ADMIN_USERNAME on init_kc
+      - KEYCLOAK_ADMIN=admin_bootstrap
       - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
       - KC_PROXY_HEADERS=xforwarded
       - KC_HTTP_ENABLED=true

release/next

@@ -0,0 +1,22 @@
+This release introduces admin cli commands to "abra app command"
+
+If you are updating from a previous release, please note that the meaning
+of the "admin_password" secret is changed to reflect the permanent admin
+user's password. To enable "login_kcadm" and "run_kcadm" commands, you
+will need to add your permanent admin password to the secret store.
+
+To increment the secret version:
+"abra app config $APP"
+change this line in the config file:
+SECRET_ADMIN_PASSWORD_VERSION=NEW_VERSION
+
+To insert your permanent admin password:
+"abra app secret insert $APP SECRET_ADMIN_PASSWORD_VERSION \
+  $NEW_VERSION $ADMIN_PASSWORD"
+
+See here for more on rotating secrets:
+https://docs.coopcloud.tech/operators/handbook/#rotating-a-secret
+
+After redeploying, ensure that you are able to authenticate the admin
+CLI by running:
+"abra app command $APP app login_kcadm"