Skip to content

bugfix(KLEF): Reset password on conflict in EnsureAdmin#9

Merged
isaacwallace123 merged 2 commits intomainfrom
fix/ensure-admin-password
Apr 3, 2026
Merged

bugfix(KLEF): Reset password on conflict in EnsureAdmin#9
isaacwallace123 merged 2 commits intomainfrom
fix/ensure-admin-password

Conversation

@JeremyNRoos
Copy link
Copy Markdown
Contributor

@JeremyNRoos JeremyNRoos commented Apr 3, 2026

Pull Request

Summary

  • Fixes admin user being unable to log in after a fresh Keycloak install
  • Keycloak 26 ships a bootstrap service account (admin) that has no OIDC password credential — EnsureAdmin was silently ignoring the 409 conflict and leaving the user without a usable credential for Direct Access Grants

Related Issues

Closes #

Changes

What's Included

  • EnsureAdmin: on 409 conflict from Register, now calls resetPassword instead of silently moving on
  • New resetPassword function: looks up user by username, then PUT /admin/realms/{realm}/users/{id}/reset-password with a permanent credential

What's Not Included

  • No changes to realm or client setup logic
  • No changes to token validation or login flow

Testing

How Was This Tested?

  • Tested locally with bundled Keycloak (Keycloak 26 via docker-compose)
  • Installed plugin, logged in as admin — credentials now work on first attempt

Test Coverage

  • Unit tests added or updated
  • Integration tests added or updated
  • Manually tested end-to-end

Breaking Changes

  • Yes
  • No

Security Considerations

  • This PR affects authentication or authorization logic
  • This PR touches secrets, tokens, or environment variables
  • This PR affects infrastructure, deployment pipelines, or network configuration

resetPassword uses the bootstrap admin token (already obtained earlier in EnsureAdmin) to call the Keycloak Admin REST API. The credential reset only runs when a 409 is returned — i.e. the user already exists. No new permissions required.

Documentation

  • Yes
  • No

UI/UX (If Applicable)

  • Includes new components or views
  • Changes styles or theme tokens
  • Responsive behavior verified
  • Requires design approval

Pre-Merge Checklist

  • PR title follows semantic format (fix: reset password on conflict in EnsureAdmin)
  • All CI checks passing
  • Code follows project style guidelines
  • No debug logs or commented-out code left in
  • Dependencies reviewed (no unnecessary additions)
  • No sensitive information included

Reviewer Notes

JeremyNRoos and others added 2 commits April 2, 2026 21:01
@JeremyNRoos @claude
fix: reset password on conflict in EnsureAdmin
0efeac6 
Keycloak 26 ships with a bootstrap admin service account that doesn't
have an OIDC password credential. When EnsureAdmin tried to create the
admin user, Keycloak returned 409 Conflict and we silently moved on —
leaving the admin without a usable credential for Direct Access Grants.

On 409, now call resetPassword to set a permanent OIDC credential on
the existing user so login works immediately after install.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@isaacwallace123
Merge branch 'main' into fix/ensure-admin-password
6132a49
@isaacwallace123 isaacwallace123 merged commit 7de6fed into main Apr 3, 2026
1 check passed
@isaacwallace123 isaacwallace123 deleted the fix/ensure-admin-password branch April 3, 2026 01:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JeremyNRoos @isaacwallace123