[keycloak-dev] generic cli sso utility
bburke at redhat.com
Wed Aug 16 15:06:49 EDT 2017
On 8/16/17 7:58 AM, Stian Thorgersen wrote:
> On 15 August 2017 at 17:47, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
> The end goal I want is that for CLI SSO, Keycloak is the SSO
> mechanism that can do kerberos, client-cert, or whatever mechanism
> the admin desires, and specific app CLI's only worry about
> propagating bearer tokens. More comments inline:
> On 8/15/17 2:46 AM, Stian Thorgersen wrote:
> I don't think leveraging a text-based browser is a good idea:
> * No-one has one installed and they suck big time. You
> probably need Cygwin on Windows to get one as well
> * Would require special themes to make anything that would be
> remotely usable
> * Not always usable on a remote shell. You need to do ssh (and
> other things) with special commands to have an emulated
> terminal rather than just a stream of characters
> As separate flow and/or extending direct grant to have some
> sort of challenge/response would probably be better.
> Thinking about 3 different use-cases for the CLI:
> * Desktop - in this case the system browser is probably the
> best option as there's then SSO between web and CLIs and
> there's the best UI available
> I like KeycloakInstalled, but its still a bit quirky. Person has
> to manually close the browser. KeycloakInstalled also probably
> needs a themeable splash screen after authentication completes.
> KeycloakInstalled is very rough/quirky. I did it many years ago and it
> was kinda just a quick prototype more than anything.
Its actually quite cool. Thomas Darimount turned me onto it while you
were gone. The generic CLI utility I wrote is based on it.
> * Server/RSH - in this case wouldn't private/public keys be
> the best option? SSH does this very well with RSA keys. We
> could even just use the same keys as SSH by allowing users to
> upload their public SSH key
> Maybe its just a matter of doing an SSO login once and creating
> and storing an offline token? Could even protect the token by
> encrypting it with a local pin/pw.
> True an offline token is a nice way to do it, but how do you do the
> login once if there's no UI available? You can do direct grant with
> username/password, but what if there's OTP or some other even more
> crazy auth mechanism in place for the web flow? Kinda where I think
> there's going to be a need for a CLI flow and a web flow.
I feel the same about the eventual need of a CLI flow.
More information about the keycloak-dev