Re: [keycloak-dev] Opinion on how secret the OIDC "client secret" should be?

On Mon, Sep 19, 2016 at 2:50 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > As kubectl is a CLI installed on end-user machines it's a public client. For > a CLI I'd use a system browser and make the CLI start a temporary web server > on localhost:XXXX, or I'd fallback to using resource owner password cred. > Thanks Stian, to be clear you're saying that you would NOT recommend distributing the client secret to end users?

> ID token is an authentication token. So if you use that you should use it to > authenticate with the service kubectl invokes and set up a session cookie to > preserve the security context. Would make more sense to me to use the access > token though, and have kubectl responsible to refresh it. I think what you are describing is similar to how OpenStack works where you get a Keystone token after authenticating?