No sign in possible if deactivating default IdP

[Jürgen Siemens]

Hello together,

today we are faced with a problem that is unsolvable for me. 2 years ago we set up an OIDC IdP in Keycloak against our Azure AD. In doing so, I disabled the default IdP (username / password) so that the login would work as SSO. The administration ran through my Azure AD user ( he has the admin permissions). Now we are facing the problem that the client secret of the Azure AD enterprise application has expired and needs to be renewed. A login with my personal Azure AD user to Keycloak is not possible because it forwards to Azure AD immediately. A login with username / password is not possible for me.
My question now is:

-  can I bypass the Azure AD login so that I can log in with username / password?
- or do I have the possibility to disable the OIDC via the operating system or re-enable the default IdP?

Used version: 15.0.2 (outdated / would patch if our applications running again)

Best regards,

Jürgen

[Schuster Sebastian (BD/PAU1)]

Hi Jürgen,

 

can you just write the new secret to the database directly? In the table IDENTITY_PROVIDER_CONFIG, there are columns IDENTITY_PROVIDER_ID, NAME, VALUE and you should look for a row where IDENTITY_PROVIDER_ID is the internal ID of your identity provider and the NAME is “clientSecret”. VALUE should contain the old secret and you have to update it.

 

Best regards,

Sebastian

 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6727388a-3578-4593-b225-1107213c79fcn%40googlegroups.com.

[Jürgen Siemens]

Hello Sebastian,

thank you for the message. How i can connect to the database remotly? I use a keycloak pod in my k3s environment. The .db file is visible for me. But how i can edit this?

I found the clientSecret with connecting ksadm.sh and running command: "./kcadm.sh get identity-provider/instances/oidc/ -r master". Is there a way to update the clientSecret too?

Best regards,

Jürgen Siemens

[Schuster Sebastian (BD/PAU1)]

Hi Jürgen,

 

are you saying you are using the default h2 db in production? That is not a recommended setup, it is just for development.

You should really use a proper DB like PostgreSQL.

Nevertheless you can connect to an H2 database using the H2 Console, see http://www.h2database.com/html/tutorial.html#tutorial_starting_h2_console

 

Best regards,

Sebastian

 

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ec8724b1-0fb9-4b59-a1e9-3c3bce2cfc2cn%40googlegroups.com.