[keycloak-dev] generic cli sso utility

Stian Thorgersen sthorger at redhat.com
Wed Aug 16 07:58:49 EDT 2017

On 15 August 2017 at 17:47, Bill Burke <bburke at redhat.com> wrote:

> The end goal I want is that for CLI SSO, Keycloak is the SSO mechanism
> that can do kerberos, client-cert, or whatever mechanism the admin desires,
> and specific app CLI's only worry about propagating bearer tokens.  More
> comments inline:
> On 8/15/17 2:46 AM, Stian Thorgersen wrote:
>> I don't think leveraging a text-based browser is a good idea:
>> * No-one has one installed and they suck big time. You probably need
>> Cygwin on Windows to get one as well
>> * Would require special themes to make anything that would be remotely
>> usable
>> * Not always usable on a remote shell. You need to do ssh (and other
>> things) with special commands to have an emulated terminal rather than just
>> a stream of characters
>> As separate flow and/or extending direct grant to have some sort of
>> challenge/response would probably be better.
>> Thinking about 3 different use-cases for the CLI:
>> * Desktop - in this case the system browser is probably the best option
>> as there's then SSO between web and CLIs and there's the best UI available
> I like KeycloakInstalled, but its still a bit quirky.  Person has to
> manually close the browser. KeycloakInstalled also probably needs a
> themeable splash screen after authentication completes.

KeycloakInstalled is very rough/quirky. I did it many years ago and it was
kinda just a quick prototype more than anything.

> * Server/RSH - in this case wouldn't private/public keys be the best
>> option? SSH does this very well with RSA keys. We could even just use the
>> same keys as SSH by allowing users to upload their public SSH key
> Maybe its just a matter of doing an SSO login once and creating and
> storing an offline token?  Could even protect the token by encrypting it
> with a local pin/pw.

True an offline token is a nice way to do it, but how do you do the login
once if there's no UI available? You can do direct grant with
username/password, but what if there's OTP or some other even more crazy
auth mechanism in place for the web flow? Kinda where I think there's going
to be a need for a CLI flow and a web flow.

> Bill

More information about the keycloak-dev mailing list