You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @nevercodecorrect, this information comes from the basic default values of Keycloak's root settings during initial setup as a temporary password -- which is later passed into the schema here:
This admin credential is generated for the first interaction with the master realm on Keycloak for admin usage. Its is outlined in our docs that you should change this password after the first deployment (here)
That said, I agree that exposing the keycloak's root password is a potential risk, even though it's temporary. We could initialize those values into a separate text file in the user host environment or set relatable env vars that contain the expected values, such as NEBARI_KEYCLOAK_INITIAL_ROOT_PASSWORD
Context
In code, username and password is directly printed. It is a potential informaiton leakage issue as described in CWE-532
Value and/or benefit
Removing password could reduce the attack surface
Anything else?
No response
The text was updated successfully, but these errors were encountered: