[keycloak-dev] generic cli sso utility

Bill Burke bburke at redhat.com
Wed Aug 16 15:06:49 EDT 2017

On 8/16/17 7:58 AM, Stian Thorgersen wrote:
> On 15 August 2017 at 17:47, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>     The end goal I want is that for CLI SSO, Keycloak is the SSO
>     mechanism that can do kerberos, client-cert, or whatever mechanism
>     the admin desires, and specific app CLI's only worry about
>     propagating bearer tokens.  More comments inline:
>     On 8/15/17 2:46 AM, Stian Thorgersen wrote:
>         I don't think leveraging a text-based browser is a good idea:
>         * No-one has one installed and they suck big time. You
>         probably need Cygwin on Windows to get one as well
>         * Would require special themes to make anything that would be
>         remotely usable
>         * Not always usable on a remote shell. You need to do ssh (and
>         other things) with special commands to have an emulated
>         terminal rather than just a stream of characters
>         As separate flow and/or extending direct grant to have some
>         sort of challenge/response would probably be better.
>         Thinking about 3 different use-cases for the CLI:
>         * Desktop - in this case the system browser is probably the
>         best option as there's then SSO between web and CLIs and
>         there's the best UI available
>     I like KeycloakInstalled, but its still a bit quirky. Person has
>     to manually close the browser. KeycloakInstalled also probably
>     needs a themeable splash screen after authentication completes.
> KeycloakInstalled is very rough/quirky. I did it many years ago and it 
> was kinda just a quick prototype more than anything.
Its actually quite cool.  Thomas Darimount turned me onto it while you 
were gone.  The generic CLI utility I wrote is based on it.

>         * Server/RSH - in this case wouldn't private/public keys be
>         the best option? SSH does this very well with RSA keys. We
>         could even just use the same keys as SSH by allowing users to
>         upload their public SSH key
>     Maybe its just a matter of doing an SSO login once and creating
>     and storing an offline token?  Could even protect the token by
>     encrypting it with a local pin/pw.
> True an offline token is a nice way to do it, but how do you do the 
> login once if there's no UI available? You can do direct grant with 
> username/password, but what if there's OTP or some other even more 
> crazy auth mechanism in place for the web flow? Kinda where I think 
> there's going to be a need for a CLI flow and a web flow.
I feel the same about the eventual need of a CLI flow.


More information about the keycloak-dev mailing list