[keycloak-dev] generic cli sso utility

Bill Burke bburke at redhat.com
Tue Aug 15 11:47:24 EDT 2017

The end goal I want is that for CLI SSO, Keycloak is the SSO mechanism 
that can do kerberos, client-cert, or whatever mechanism the admin 
desires, and specific app CLI's only worry about propagating bearer 
tokens.  More comments inline:

On 8/15/17 2:46 AM, Stian Thorgersen wrote:
> I don't think leveraging a text-based browser is a good idea:
> * No-one has one installed and they suck big time. You probably need 
> Cygwin on Windows to get one as well
> * Would require special themes to make anything that would be remotely 
> usable
> * Not always usable on a remote shell. You need to do ssh (and other 
> things) with special commands to have an emulated terminal rather than 
> just a stream of characters
> As separate flow and/or extending direct grant to have some sort of 
> challenge/response would probably be better.
> Thinking about 3 different use-cases for the CLI:
> * Desktop - in this case the system browser is probably the best 
> option as there's then SSO between web and CLIs and there's the best 
> UI available
I like KeycloakInstalled, but its still a bit quirky.  Person has to 
manually close the browser. KeycloakInstalled also probably needs a 
themeable splash screen after authentication completes.

> * Server/RSH - in this case wouldn't private/public keys be the best 
> option? SSH does this very well with RSA keys. We could even just use 
> the same keys as SSH by allowing users to upload their public SSH key
Maybe its just a matter of doing an SSO login once and creating and 
storing an offline token?  Could even protect the token by encrypting it 
with a local pin/pw.


More information about the keycloak-dev mailing list