WSO2 Identity Server
WSO2identity4 credentials
Administrator Password
wso2-identity-server / admin-password
WSO2 Identity Server has an administrator account used to access the Management Console and administrative APIs. WSO2 documents changing the default administrator password during secure deployment.
Location
deployment.toml, user-mgt.xml, carbon.xml, and provisioning files
/carbon, management APIsWSO2 Management Console and administrative endpoints
WSO2 user store and registry databases containing user and credential verifier data
WSO2_ADMIN_USERNAME, WSO2_ADMIN_PASSWORDSecure Vault, Kubernetes Secrets, cloud secret managers, and CI/CD variables
deployment manifests, Helm values, Docker Compose files, and committed config
startup logs, installer output, and authentication traces
Notes
Do not rely on example admin credentials as a universal default. Treat the administrator credential as deployment-specific and rotate it after setup.
OIDC Application Client Secret
wso2-identity-server / oidc-client-secret
WSO2 Identity Server service providers and OIDC applications use OAuth client credentials, including a client secret, to authenticate token requests and relying-party integrations.
Location
WSO2 registry/user-store database records for service provider and OAuth application configuration
service provider exports, application config, .env files, and deployment manifests
WSO2_CLIENT_ID, WSO2_CLIENT_SECRETSecure Vault, application secret stores, CI/CD variables, and cloud secret managers
OAuth examples, tests, and committed relying-party config
OAuth token exchange and OIDC troubleshooting logs
Notes
Client secret exposure can allow impersonation of the WSO2 OIDC/OAuth application in supported token flows.
Database / User Store Credentials
wso2-identity-server / database-credentials
WSO2 Identity Server stores identity, registry, and user-management data in configured databases and user stores. Deployment configuration can include database usernames, passwords, and LDAP bind credentials.
Location
deployment.toml, master-datasources.xml, user-mgt.xml, and LDAP user store config
WSO2_DB_USERNAME, WSO2_DB_PASSWORD, WSO2_LDAP_BIND_PASSWORDWSO2 Secure Vault, Kubernetes Secrets, database vault entries, and cloud secret managers
committed deployment configs, Helm values, and Docker Compose files
datasource connection logs and LDAP troubleshooting output
Notes
These credentials can expose identity data, service provider secrets, user accounts, and token/session stores.
Keystore / Truststore Password
wso2-identity-server / keystore-password
WSO2 deployments use Java keystores and truststores for TLS, signing, and encryption. Keystore passwords protect private keys used by the Identity Server.
Looks like
pattern(?:keystore|truststore|keyStore|trustStore).*password\s*=\s*[^\r\n]+Location
deployment.toml, carbon.xml, axis2.xml, and Java keystore configuration
WSO2 Secure Vault, Java keystores, Kubernetes Secrets, and cloud secret managers
committed deployment configs and container build contexts
images containing keystores and deployment configuration
Notes
Keystore credentials may unlock SAML/OIDC signing keys and TLS private keys trusted by identity clients.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.