Re: [keycloak-dev] Opinion on how secret the OIDC "client secret" should be?
On Mon, Sep 19, 2016 at 2:50 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
As kubectl is a CLI installed on end-user machines it's a public
client. For
a CLI I'd use a system browser and make the CLI start a temporary web server
on localhost:XXXX, or I'd fallback to using resource owner password cred.
Thanks Stian, to be clear you're saying that you would NOT recommend
distributing the client secret to end users?
ID token is an authentication token. So if you use that you should
use it to
authenticate with the service kubectl invokes and set up a session cookie to
preserve the security context. Would make more sense to me to use the access
token though, and have kubectl responsible to refresh it.
I think what you are describing is similar to how OpenStack works
where you get a Keystone token after authenticating?