[keycloak-dev] kcinit console sso tool

Bill Burke bburke at redhat.com
Thu Mar 15 10:41:56 EDT 2018


On Wed, Mar 14, 2018 at 3:15 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>
> On 12 March 2018 at 18:59, Bill Burke <bburke at redhat.com> wrote:
>>
>> On Mon, Mar 12, 2018 at 10:16 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>> > Very cool. A few questions/comments:
>> >
>> > * As it's Java based it does make it harder to package/install. Compare
>> > 'oc'
>> > tool for instance to our 'kcadmin' and 'kcclient' tools. Not sure how
>> > realistic it would be to write our CLI tools in for instance Go though.
>> >
>>
>> Its a pretty simple tool so it could be ported.  The only thing that
>> might be a tiny bit challenging is making sure there's crypto stuff
>> available in another language to encrypt/decrypt token files.  Might
>> be a nice little project for me to learn Go.
>>
>> > * I assume the console display is optional and it basically means that
>> > you
>> > can only use authenticators that support this rather than all
>> > authenticators
>> > require to implement it.
>> >
>>
>> I don't have a switch to launch browser, but, I could as this
>> functionality is already implemented.  Not sure if that would be
>> portable to Go or another language though.  Java has a facility to
>> automatically launch browser (I think you know that already as you
>> wrote KeycloakInstalled).
>
>
> That would be pretty cool, but I wasn't thinking that far. I was just
> basically thinking that authenticators has to be written to support this,
> rather than all authenticators have to support this.

Pretty cool?  LOL!  You implemented the browser stuff!

Its not a requirement to support this when writing an authenticator.


>
> I got no clue how they work, but what I meant is the fact that ssh-agent
> allows you to unlock the keys automatically when you login to your browser.
>
> If you have to provide a password to unlock the tokens every time you open a
> new shell does it actually provide a nicer experience than just doing
> username/password to login again with resource owner credential grant?
>

I agree it sucks.  I think I'm going to get rid of password protection
for now.   I researched things a bit last night, and at least for
Golang, there is a cross-platform library for storing passwords in the
OS's keyring that might be useful.

https://github.com/zalando/go-keyring

I'll look into that when I port this tool to Go.

-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list