On 8/16/17 7:58 AM, Stian Thorgersen wrote:
On 15 August 2017 at 17:47, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
The end goal I want is that for CLI SSO, Keycloak is the SSO
mechanism that can do kerberos, client-cert, or whatever mechanism
the admin desires, and specific app CLI's only worry about
propagating bearer tokens. More comments inline:
On 8/15/17 2:46 AM, Stian Thorgersen wrote:
I don't think leveraging a text-based browser is a good idea:
* No-one has one installed and they suck big time. You
probably need Cygwin on Windows to get one as well
* Would require special themes to make anything that would be
remotely usable
* Not always usable on a remote shell. You need to do ssh (and
other things) with special commands to have an emulated
terminal rather than just a stream of characters
As separate flow and/or extending direct grant to have some
sort of challenge/response would probably be better.
Thinking about 3 different use-cases for the CLI:
* Desktop - in this case the system browser is probably the
best option as there's then SSO between web and CLIs and
there's the best UI available
I like KeycloakInstalled, but its still a bit quirky. Person has
to manually close the browser. KeycloakInstalled also probably
needs a themeable splash screen after authentication completes.
KeycloakInstalled is very rough/quirky. I did it many years ago and it
was kinda just a quick prototype more than anything.
Its actually quite cool.
Thomas Darimount turned me onto it while you
were gone. The generic CLI utility I wrote is based on it.
* Server/RSH - in this case wouldn't private/public keys be
the best option? SSH does this very well with RSA keys. We
could even just use the same keys as SSH by allowing users to
upload their public SSH key
Maybe its just a matter of doing an SSO login once and creating
and storing an offline token? Could even protect the token by
encrypting it with a local pin/pw.
True an offline token is a nice way to do it, but how do you do the
login once if there's no UI available? You can do direct grant with
username/password, but what if there's OTP or some other even more
crazy auth mechanism in place for the web flow? Kinda where I think
there's going to be a need for a CLI flow and a web flow.
I feel the same about
the eventual need of a CLI flow.
Bill