Keycloak password

380 views
Skip to first unread message

Key Cloak

unread,
Jul 6, 2021, 2:11:43 PM7/6/21
to Keycloak User
hi guys 
The password of keycloak is located in .standalone.xml file and is in plain text.
What is the best option to secure that password please.
Thanks

Pedro Igor Craveiro e Silva

unread,
Jul 6, 2021, 3:30:02 PM7/6/21
to Key Cloak, Keycloak User
Hi,

Do you mean database and key store credentials?

Regards.
Pedro Igor

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/b949f91f-153d-4319-9cd0-bedb15476a6en%40googlegroups.com.

benjam...@gmail.com

unread,
Jul 7, 2021, 6:12:52 AM7/7/21
to Keycloak User
Maybe via environment variables, as below?

<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" use-ccm="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
    <connection-url>jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}</connection-url>
    <driver>mysql</driver>
    <pool>
        <flush-strategy>IdleConnections</flush-strategy>
    </pool>
    <security>
        <user-name>${env.DB_USER:keycloak}</user-name>
        <password>${env.DB_PASSWORD:password}</password>
    </security>
    <validation>
        <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
        <background-validation>true</background-validation>
        <background-validation-millis>60000</background-validation-millis>
    </validation>
</datasource>

Pedro Igor Craveiro e Silva

unread,
Jul 7, 2021, 7:30:23 AM7/7/21
to benjam...@gmail.com, Keycloak User
Yeah, it works too. Env variables should fit nicely if deploying in k8s where the value is obtained from secrets.

Wildfly (Elytron subsystem) also allows you to use a credential store to store credentials and reference those within the datasource configuration. Elytron also allows you to mask password instead of having those in clear text in the configuration.

From Keycloak, you can also use vault to securely set credentials to certain components. See https://www.keycloak.org/docs/latest/server_admin/#_vault-administration

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e573dad8-93e9-4099-9a45-effe455fb5aan%40googlegroups.com.

Key Cloak

unread,
Jul 10, 2021, 6:13:23 AM7/10/21
to Keycloak User
Thank you guys. I got it and I have encrypted all pasword used.
Reply all
Reply to author
Forward
0 new messages