I've developed a small command line utility around Keycloak Installed. The idea is that this utility performs a login with keycloak to obtain an access token. This utility saves the access and refresh token in a file (similar to how ssh does in .ssh). Then bash scripts can be used to export the access token as an environment variable so it can be used by other command line utilities. https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/insta... https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso Eventually I'm thinking of creating a text/plain protocol with Keycloak server so that launching a browser or cutting/pasting between the command line window and browser isn't a requirement. It woudl be a plain text challenge response protocol. This would require a bit more work as it would require reworking all of our built in authenticators and required action plugins. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

For this exact reason it can't use the browser based flow rather it should the direct grant (or some other flow?!?). On 4 August 2017 at 10:09, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > I wonder if it's possible to have CLI utility, which is able to read > HTML with the form and challenge user based on that? For example once it > receives the HTML like this: > > <form> > Username: <input name="username" /> > Password: <input name="password" type="password" /> > </form> > > Then in command line, user will be challenged for username and password. > > I am not sure if it's doable in practice and how much work it is. Sounds > like re-implementing browser in command line. But maybe something like > this exists already? > > BTV. Some things will never work in CLI in my opinion. For example: > - Registration with captcha > - TOTP setup > - Broker login (but hopefully some brokers offer alternatives) > > Marek > > > On 28/07/17 22:36, Bill Burke wrote: > > I've developed a small command line utility around Keycloak Installed. > > The idea is that this utility performs a login with keycloak to obtain > > an access token. This utility saves the access and refresh token in a > > file (similar to how ssh does in .ssh). Then bash scripts can be used to > > export the access token as an environment variable so it can be used by > > other command line utilities. > > > > > > https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/ > installed/src/main/java/org/keycloak/adapters/installed/ > KeycloakCliSso.java > > > > https://github.com/patriot1burke/keycloak/tree/ > master/adapters/oidc/cli-sso > > > > > > Eventually I'm thinking of creating a text/plain protocol with Keycloak > > server so that launching a browser or cutting/pasting between the > > command line window and browser isn't a requirement. It woudl be a plain > > text challenge response protocol. This would require a bit more work as > > it would require reworking all of our built in authenticators and > > required action plugins. > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

You can't use direct grant as the CLI won't know what credential input is required. i.e. pw only, pw + otp, pw + sms, etc.... Right now the CLI tool I wrote uses the KeycloakInstalled stuff you did Stian and stores tokens in a hidden directory. I would eventually like to make it RSH friendly and define a flow that was text based and displayable to the console. All with kerberos and client cert support too. Maybe this is something we can do with a text-based browser (Lynx)? Not sure how KeycloakInstalled would detect this and be able to run it though. Also configuratoin for kerveros and client cert would be problematic. On 8/14/17 7:08 AM, Stian Thorgersen wrote: For this exact reason it can't use the browser based flow rather it should the direct grant (or some other flow?!?). On 4 August 2017 at 10:09, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > I wonder if it's possible to have CLI utility, which is able to read > HTML with the form and challenge user based on that? For example once it > receives the HTML like this: > > <form> > Username: <input name="username" /> > Password: <input name="password" type="password" /> > </form> > > Then in command line, user will be challenged for username and password. > > I am not sure if it's doable in practice and how much work it is. Sounds > like re-implementing browser in command line. But maybe something like > this exists already? > > BTV. Some things will never work in CLI in my opinion. For example: > - Registration with captcha > - TOTP setup > - Broker login (but hopefully some brokers offer alternatives) > > Marek > > > On 28/07/17 22:36, Bill Burke wrote: > > I've developed a small command line utility around Keycloak Installed. > > The idea is that this utility performs a login with keycloak to obtain > > an access token. This utility saves the access and refresh token in a > > file (similar to how ssh does in .ssh). Then bash scripts can be used to > > export the access token as an environment variable so it can be used by > > other command line utilities. > > > > > > https://github.com/patriot1burke/keycloak/blob/master/ > adapters/oidc/installed/src/main/java/org/keycloak/ > adapters/installed/KeycloakCliSso.java > > > > https://github.com/patriot1burke/keycloak/tree/master/ > adapters/oidc/cli-sso > > > > > > Eventually I'm thinking of creating a text/plain protocol with Keycloak > > server so that launching a browser or cutting/pasting between the > > command line window and browser isn't a requirement. It woudl be a plain > > text challenge response protocol. This would require a bit more work as > > it would require reworking all of our built in authenticators and > > required action plugins. > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

Maybe its just a matter of doing an SSO login once and creating and storing an offline token? Could even protect the token by encrypting it with a local pin/pw.

On 08/15/2017 11:47 AM, Bill Burke wrote: > Maybe its just a matter of doing an SSO login once and creating and > storing an offline token? Could even protect the token by encrypting it > with a local pin/pw. Why not use the platform keyring?

On 15 August 2017 at 17:47, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: The end goal I want is that for CLI SSO, Keycloak is the SSO mechanism that can do kerberos, client-cert, or whatever mechanism the admin desires, and specific app CLI's only worry about propagating bearer tokens. More comments inline: On 8/15/17 2:46 AM, Stian Thorgersen wrote: I don't think leveraging a text-based browser is a good idea: * No-one has one installed and they suck big time. You probably need Cygwin on Windows to get one as well * Would require special themes to make anything that would be remotely usable * Not always usable on a remote shell. You need to do ssh (and other things) with special commands to have an emulated terminal rather than just a stream of characters As separate flow and/or extending direct grant to have some sort of challenge/response would probably be better. Thinking about 3 different use-cases for the CLI: * Desktop - in this case the system browser is probably the best option as there's then SSO between web and CLIs and there's the best UI available I like KeycloakInstalled, but its still a bit quirky. Person has to manually close the browser. KeycloakInstalled also probably needs a themeable splash screen after authentication completes. KeycloakInstalled is very rough/quirky. I did it many years ago and it was kinda just a quick prototype more than anything.

* Server/RSH - in this case wouldn't private/public keys be the best option? SSH does this very well with RSA keys. We could even just use the same keys as SSH by allowing users to upload their public SSH key Maybe its just a matter of doing an SSO login once and creating and storing an offline token? Could even protect the token by encrypting it with a local pin/pw. True an offline token is a nice way to do it, but how do you do the login once if there's no UI available? You can do direct grant with username/password, but what if there's OTP or some other even more crazy auth mechanism in place for the web flow? Kinda where I think there's going to be a need for a CLI flow and a web flow.