[keycloak-dev] Opinion on how secret the OIDC "client secret" should be?

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Mon Sep 19 09:02:11 EDT 2016


On Mon, Sep 19, 2016 at 2:50 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> As kubectl is a CLI installed on end-user machines it's a public client. For
> a CLI I'd use a system browser and make the CLI start a temporary web server
> on localhost:XXXX, or I'd fallback to using resource owner password cred.
>


Thanks Stian, to be clear you're saying that you would NOT recommend
distributing the client secret to end users?


> ID token is an authentication token. So if you use that you should use it to
> authenticate with the service kubectl invokes and set up a session cookie to
> preserve the security context. Would make more sense to me to use the access
> token though, and have kubectl responsible to refresh it.

I think what you are describing is similar to how OpenStack works
where you get a Keystone token after authenticating?


More information about the keycloak-dev mailing list