The end goal I want is that for CLI SSO, Keycloak is the SSO mechanism
that can do kerberos, client-cert, or whatever mechanism the admin
desires, and specific app CLI's only worry about propagating bearer
tokens. More comments inline:
On 8/15/17 2:46 AM, Stian Thorgersen wrote:
I don't think leveraging a text-based browser is a good idea:
* No-one has one installed and they suck big time. You probably need
Cygwin on Windows to get one as well
* Would require special themes to make anything that would be remotely
usable
* Not always usable on a remote shell. You need to do ssh (and other
things) with special commands to have an emulated terminal rather than
just a stream of characters
As separate flow and/or extending direct grant to have some sort of
challenge/response would probably be better.
Thinking about 3 different use-cases for the CLI:
* Desktop - in this case the system browser is probably the best
option as there's then SSO between web and CLIs and there's the best
UI available
I like KeycloakInstalled, but its still a bit quirky. Person has to
manually close the browser. KeycloakInstalled also probably needs a
themeable splash screen after authentication completes.
* Server/RSH - in this case wouldn't private/public keys be the
best
option? SSH does this very well with RSA keys. We could even just use
the same keys as SSH by allowing users to upload their public SSH key
Maybe its
just a matter of doing an SSO login once and creating and
storing an offline token? Could even protect the token by encrypting it
with a local pin/pw.
Bill