[keycloak-dev] Opinion on how secret the OIDC "client secret" should be?
Stian Thorgersen
sthorger at redhat.com
Mon Sep 19 09:30:42 EDT 2016
On 19 September 2016 at 15:02, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:
> On Mon, Sep 19, 2016 at 2:50 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> > As kubectl is a CLI installed on end-user machines it's a public client.
> For
> > a CLI I'd use a system browser and make the CLI start a temporary web
> server
> > on localhost:XXXX, or I'd fallback to using resource owner password cred.
> >
>
>
> Thanks Stian, to be clear you're saying that you would NOT recommend
> distributing the client secret to end users?
>
WIth Keycloak I'd go with a public client if you want the CLI to handle
retrieving tokens.
>
>
> > ID token is an authentication token. So if you use that you should use
> it to
> > authenticate with the service kubectl invokes and set up a session
> cookie to
> > preserve the security context. Would make more sense to me to use the
> access
> > token though, and have kubectl responsible to refresh it.
>
> I think what you are describing is similar to how OpenStack works
> where you get a Keystone token after authenticating?
>
Not sure, I don't know the details of OpenStack or Keystone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160919/b951cf1c/attachment.html
More information about the keycloak-dev
mailing list