[keycloak-dev] generic cli sso utility

Bill Burke bburke at redhat.com
Mon Aug 14 09:56:32 EDT 2017


You can't use direct grant as the CLI won't know what credential input 
is required. i.e. pw only, pw + otp, pw + sms, etc.... Right now the CLI 
tool I wrote uses the KeycloakInstalled stuff you did Stian and stores 
tokens in a hidden directory.

I would eventually like to make it RSH friendly and define a flow that 
was text based and displayable to the console.  All with kerberos and 
client cert support too.  Maybe this is something we can do with a 
text-based browser (Lynx)?  Not sure how KeycloakInstalled would detect 
this and be able to run it though. Also configuratoin for kerveros and 
client cert would be problematic.


On 8/14/17 7:08 AM, Stian Thorgersen wrote:
> For this exact reason it can't use the browser based flow rather it 
> should the direct grant (or some other flow?!?).
>
> On 4 August 2017 at 10:09, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I wonder if it's possible to have CLI utility, which is able to read
>     HTML with the form and challenge user based on that? For example
>     once it
>     receives the HTML like this:
>
>     <form>
>        Username: <input name="username" />
>        Password: <input name="password" type="password" />
>     </form>
>
>     Then in command line, user will be challenged for username and
>     password.
>
>     I am not sure if it's doable in practice and how much work it is.
>     Sounds
>     like re-implementing browser in command line. But maybe something like
>     this exists already?
>
>     BTV. Some things will never work in CLI in my opinion. For example:
>     - Registration with captcha
>     - TOTP setup
>     - Broker login (but hopefully some brokers offer alternatives)
>
>     Marek
>
>
>     On 28/07/17 22:36, Bill Burke wrote:
>     > I've developed a small command line utility around Keycloak
>     Installed.
>     > The idea is that this utility performs a login with keycloak to
>     obtain
>     > an access token.  This utility saves the access and refresh
>     token in a
>     > file (similar to how ssh does in .ssh). Then bash scripts can be
>     used to
>     > export the access token as an environment variable so it can be
>     used by
>     > other command line utilities.
>     >
>     >
>     >
>     https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java
>     <https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java>
>     >
>     >
>     https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso
>     <https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso>
>     >
>     >
>     > Eventually I'm thinking of creating a text/plain protocol with
>     Keycloak
>     > server so that launching a browser or cutting/pasting between the
>     > command line window and browser isn't a requirement. It woudl be
>     a plain
>     > text challenge response protocol.  This would require a bit more
>     work as
>     > it would require reworking all of our built in authenticators and
>     > required action plugins.
>     >
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>



More information about the keycloak-dev mailing list