I encountered something very interesting and it’s making me really worried, so I thought I would reach out to the broader community to see if someone else has experienced this.
When keycloak was initialized it was done so with a user called “admin” and an autogenerated password.
At some point, the logins with the admin user to the admin console for the master realm stopped working which was very weird. Keycloak logs were saying the user didn’t exist. When trying to reinitialize keycloak with the admin user, it would fail saying the user already existed. But that’s weird because clearly the keycloak logs were saying the user didn’t exist when trying to sigin in to the master realm through the console with the admin username.
What was even weirder was when I looked into the database to see the users associated to the master realm, I can see that there was an admin user, but there was an email address associated it to it and it was a developer email address.
So I used the the developer email address and the auto generated password and I was able to login.
What worries me is that first of all, how did the admin username change to the developer email address? When asking the developer, they said they didn’t do it. Secondly when checking the realm settings in the database, I can see that edit username was not allowed. Again, how could the username for the admin user have changed? Did my developer manually change it through the db, was it somehow inadvertent?
If someone knows the different ways the admin username can change in Keycloak for the master realm please do let me know. This way I can narrow it down to see if it was malicious, or if my developer or our servers are compromised etc.
I’m fairly worried.