Managing Passwords
Fuzzball provides two password management workflows: users can change their own password through a self-service flow, and organization owners can reset a member’s password on their behalf. Both flows delegate to Keycloak, which enforces any configured password policy and handles reauthentication.
Password management applies only to users who authenticate directly with Fuzzball. If your organization uses an upstream identity provider (SSO or LDAP), manage passwords through that provider instead.
Users can change their own password at any time when they know their current password.
- Log into your Fuzzball UI
- Click your user avatar or name in the top right corner and select Change Password
- A dialog will open. Click Change Password to be redirected to the Keycloak authentication console in a new tab
- Follow the prompts to enter your current password and choose a new one
- After completing the change, you will be redirected back to Fuzzball
If your organization uses SSO or LDAP, you will see an informational message directing you to manage your password through your identity provider instead.
- Fuzzball CLI installed with an active context
Run the following command to get a link to the Keycloak password change page:
$ fuzzball context update-user --new-password
Open the following URL in your browser to change your password:
https://auth.example.fuzzball.ciq.dev/realms/.../protocol/openid-connect/auth?...&kc_action=UPDATE_PASSWORD&...Open the URL in your browser. Keycloak will prompt you to reauthenticate and then set a new password. After completing the change, you will be redirected back to Fuzzball.
Organization owners can reset a member’s password without knowing the current one. By default
the reset password is permanent — the user is not required to change it. To force a password
change on next login, use the --require-update-password flag (CLI) or enable the equivalent
option in the web UI.
Before resetting a user’s password via the web UI, ensure you have:
- Organization owner permissions
Use the organization member update subcommand with the member’s email address or UUID.
Auto-generate a new password:
$ fuzzball organization member update user2@ciq.com --generate-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
Password reset successfully.Auto-generate and require the user to change it on next login:
$ fuzzball organization member update user2@ciq.com --generate-password --require-update-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
The user will be required to change this password on next login.Set a password interactively:
$ fuzzball organization member update user2@ciq.com --password-prompt
Password: ········
Confirm: ········
Password reset successfully.Set a password inline:
$ fuzzball organization member update user2@ciq.com --password='TempPass1!'
Password reset successfully.The--password,--password-prompt, and--generate-passwordflags are mutually exclusive. You must provide exactly one of these flags to set or generate a password.
The same subcommands apply to organization owners using update-owner:
$ fuzzball organization update-owner user3@ciq.com --generate-passwordShare the new password with the user.
- Fuzzball CLI installed with an active context
- Organization owner permissions
Use the organization member update subcommand with the member’s email address or UUID.
Auto-generate a new password:
$ fuzzball organization member update user2@ciq.com --generate-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
Password reset successfully.Auto-generate and require the user to change it on next login:
$ fuzzball organization member update user2@ciq.com --generate-password --require-update-password
⚠️ GENERATED PASSWORD (save this - it won't be shown again):
riJ@Kb#2#KpV8g*1S7_Q_4^MLp8I^N52
The user will be required to change this password on next login.Set a specific password (interactive prompt):
$ fuzzball organization member update user2@ciq.com --password
Password: ········
Confirm: ········Set a specific password (inline):
$ fuzzball organization member update user2@ciq.com --password='TempPass1!'The same organization member update subcommand also resets passwords for organization owners:
$ fuzzball organization member update user3@ciq.com --generate-passwordShare the new password with the user.