[keycloak-dev] generic cli sso utility

Stian Thorgersen sthorger at redhat.com
Tue Aug 15 02:46:15 EDT 2017

I don't think leveraging a text-based browser is a good idea:

* No-one has one installed and they suck big time. You probably need Cygwin
on Windows to get one as well
* Would require special themes to make anything that would be remotely
* Not always usable on a remote shell. You need to do ssh (and other
things) with special commands to have an emulated terminal rather than just
a stream of characters

As separate flow and/or extending direct grant to have some sort of
challenge/response would probably be better.

Thinking about 3 different use-cases for the CLI:

* Desktop - in this case the system browser is probably the best option as
there's then SSO between web and CLIs and there's the best UI available
* Server/RSH - in this case wouldn't private/public keys be the best
option? SSH does this very well with RSA keys. We could even just use the
same keys as SSH by allowing users to upload their public SSH key
* Embedded/IoT (probably a completely different thing altogether) - in this
case the device has very limited capabilities so you probably want to
complete the authentication on a separate device

On 14 August 2017 at 15:56, Bill Burke <bburke at redhat.com> wrote:

> You can't use direct grant as the CLI won't know what credential input is
> required. i.e. pw only, pw + otp, pw + sms, etc....  Right now the CLI tool
> I wrote uses the KeycloakInstalled stuff you did Stian and stores tokens in
> a hidden directory.
> I would eventually like to make it RSH friendly and define a flow that was
> text based and displayable to the console.  All with kerberos and client
> cert support too.  Maybe this is something we can do with a text-based
> browser (Lynx)?  Not sure how KeycloakInstalled would detect this and be
> able to run it though.  Also configuratoin for kerveros and client cert
> would be problematic.
> On 8/14/17 7:08 AM, Stian Thorgersen wrote:
> For this exact reason it can't use the browser based flow rather it should
> the direct grant (or some other flow?!?).
> On 4 August 2017 at 10:09, Marek Posolda <mposolda at redhat.com> wrote:
>> I wonder if it's possible to have CLI utility, which is able to read
>> HTML with the form and challenge user based on that? For example once it
>> receives the HTML like this:
>> <form>
>>    Username: <input name="username" />
>>    Password: <input name="password" type="password" />
>> </form>
>> Then in command line, user will be challenged for username and password.
>> I am not sure if it's doable in practice and how much work it is. Sounds
>> like re-implementing browser in command line. But maybe something like
>> this exists already?
>> BTV. Some things will never work in CLI in my opinion. For example:
>> - Registration with captcha
>> - TOTP setup
>> - Broker login (but hopefully some brokers offer alternatives)
>> Marek
>> On 28/07/17 22:36, Bill Burke wrote:
>> > I've developed a small command line utility around Keycloak Installed.
>> > The idea is that this utility performs a login with keycloak to obtain
>> > an access token.  This utility saves the access and refresh token in a
>> > file (similar to how ssh does in .ssh). Then bash scripts can be used to
>> > export the access token as an environment variable so it can be used by
>> > other command line utilities.
>> >
>> >
>> > https://github.com/patriot1burke/keycloak/blob/master/
>> adapters/oidc/installed/src/main/java/org/keycloak/
>> adapters/installed/KeycloakCliSso.java
>> >
>> > https://github.com/patriot1burke/keycloak/tree/master/
>> adapters/oidc/cli-sso
>> >
>> >
>> > Eventually I'm thinking of creating a text/plain protocol with Keycloak
>> > server so that launching a browser or cutting/pasting between the
>> > command line window and browser isn't a requirement. It woudl be a plain
>> > text challenge response protocol.  This would require a bit more work as
>> > it would require reworking all of our built in authenticators and
>> > required action plugins.
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list