lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Keycloak

Keycloakidentity4 credentials

Credentials4 documented
01

Bootstrap Admin Password

keycloak / bootstrap-admin-password

Keycloak container deployments bootstrap an administrator with environment variables. Keycloak documents KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD for the initial admin user when starting a container.

generated on installuser definedsecretusername/password

Location

environment
KC_BOOTSTRAP_ADMIN_USERNAME, KC_BOOTSTRAP_ADMIN_PASSWORD, KEYCLOAK_ADMIN, KEYCLOAK_ADMIN_PASSWORD
public interface
/admin

Keycloak Admin Console login

secret store

Kubernetes Secrets, container environment secrets, Helm values, and cloud secret managers

source code

Docker Compose files, Helm charts, tests, and committed deployment manifests

logs

container startup logs and provisioning output

Notes

The documented admin/change_me values are examples, not shipped universal defaults. Treat the bootstrap password as deployment-specific.

02

Database Credentials

keycloak / database-credentials

Keycloak supports external databases and container documentation shows database configuration through KC_DB, KC_DB_URL, KC_DB_USERNAME, and KC_DB_PASSWORD. These credentials back the Keycloak realm and user store.

user definedsecretusername/password

Location

environment
KC_DB_USERNAME, KC_DB_PASSWORD, KC_DB_URL
config file

keycloak.conf, Docker Compose files, Helm values, and operator custom resources

secret store

Kubernetes Secrets, cloud secret managers, and database password vault entries

source code

committed container definitions, test configs, and deployment manifests

logs

database connection errors and startup traces

Notes

Database access can expose realm configuration, users, credential hashes, clients, sessions, and identity-provider configuration.

03

OIDC Client Secret

keycloak / client-secret

Keycloak OpenID Connect confidential clients use client credentials. Keycloak documents confidential client credentials and client secret rotation policies in the server administration guide.

generated on installsecretsecret value

Location

database

Keycloak realm database storing client configuration and credentials

environment
KEYCLOAK_CLIENT_SECRET, OIDC_CLIENT_SECRET
config file

application config, adapter config, .env files, and deployment manifests

secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and app secrets

source code

committed adapter configs, examples, tests, and Helm values

logs

token exchange traces and OIDC client debug logs

Notes

A client secret can authenticate the application to Keycloak token endpoints and should be rotated if exposed.

04

Realm Signing Private Key / Keystore Secret

keycloak / realm-signing-key

Keycloak realms use keys to sign tokens and can load or rotate generated key pairs and Java keystores. Private keys and keystore passwords protect token signing material.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

PEM private key for token signing or realm key import

-----BEGIN (?:RSA |EC |)PRIVATE KEY-----

Location

database

Keycloak realm key provider and component configuration

config file

Java keystores, realm exports, key provider config, and deployment manifests

secret store

Kubernetes Secrets, HSM/KMS-backed stores, Java keystores, and cloud secret managers

source code

committed realm exports, test keys, and container build contexts

Notes

Signing private keys can mint tokens trusted by clients for the affected realm until keys are rotated and clients refresh metadata.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.