On 15 August 2017 at 17:47, Bill Burke <bburke(a)redhat.com> wrote:
The end goal I want is that for CLI SSO, Keycloak is the SSO
that can do kerberos, client-cert, or whatever mechanism the admin desires,
and specific app CLI's only worry about propagating bearer tokens. More
On 8/15/17 2:46 AM, Stian Thorgersen wrote:
> I don't think leveraging a text-based browser is a good idea:
> * No-one has one installed and they suck big time. You probably need
> Cygwin on Windows to get one as well
> * Would require special themes to make anything that would be remotely
> * Not always usable on a remote shell. You need to do ssh (and other
> things) with special commands to have an emulated terminal rather than just
> a stream of characters
> As separate flow and/or extending direct grant to have some sort of
> challenge/response would probably be better.
> Thinking about 3 different use-cases for the CLI:
> * Desktop - in this case the system browser is probably the best option
> as there's then SSO between web and CLIs and there's the best UI available
I like KeycloakInstalled, but its still a bit quirky. Person has to
manually close the browser. KeycloakInstalled also probably needs a
themeable splash screen after authentication completes.
KeycloakInstalled is very rough/quirky. I did it many years ago and it was
kinda just a quick prototype more than anything.
* Server/RSH - in this case wouldn't private/public keys be the best
> option? SSH does this very well with RSA keys. We could even just use the
> same keys as SSH by allowing users to upload their public SSH key
Maybe its just a matter of doing an SSO login once and creating and
storing an offline token? Could even protect the token by encrypting it
with a local pin/pw.
True an offline token is a nice way to do it, but how do you do the login
once if there's no UI available? You can do direct grant with
username/password, but what if there's OTP or some other even more crazy
auth mechanism in place for the web flow? Kinda where I think there's going
to be a need for a CLI flow and a web flow.