[keycloak-dev] kcinit screencast

Stian Thorgersen sthorger at redhat.com
Wed Mar 21 10:08:58 EDT 2018


That's really nice. First time I see oauth done well from the command line.

I think it could do with some more newlines in places to space the outputs
a bit more apart. Minor thing though.

Thinking a bit about the confidential client when invoking the token
exchange. As kcinit really is a public client how do you envision folks
would use that?

Could another option be to use the ID token (or some other special SSO
login token) to allow obtaining tokens for different clients?

I was thinking something like "kcinit login" obtains the ID token (or the
other SSO login token aka something to replace the SSO cookie on web). It
could also request an offline session to have the tool connected long term
(i.e. for a bot or something). Then next time you want to obtain a token
for a specific client it can just pass this SSO login token instead of user
creds to retrieve tokens for that app.

One question which is relevant if you use token exchange as well as if
there's some sort of SSO login token is how do we prevent an application
from obtaining a token for another app. App A for instance could just
invoke kcinit internally without the user knowing about it to obtain token
for App B.



On 21 March 2018 at 00:03, Bill Burke <bburke at redhat.com> wrote:

> http://youtu.be/uwkggE25TjM?hd=1
>
> --
> Bill Burke
> Red Hat
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list