[keycloak-dev] Opinion on how secret the OIDC "client secret" should be?

Stian Thorgersen sthorger at redhat.com
Mon Sep 19 09:30:42 EDT 2016

On 19 September 2016 at 15:02, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:

> On Mon, Sep 19, 2016 at 2:50 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> > As kubectl is a CLI installed on end-user machines it's a public client.
> For
> > a CLI I'd use a system browser and make the CLI start a temporary web
> server
> > on localhost:XXXX, or I'd fallback to using resource owner password cred.
> >
> Thanks Stian, to be clear you're saying that you would NOT recommend
> distributing the client secret to end users?

WIth Keycloak I'd go with a public client if you want the CLI to handle
retrieving tokens.

> > ID token is an authentication token. So if you use that you should use
> it to
> > authenticate with the service kubectl invokes and set up a session
> cookie to
> > preserve the security context. Would make more sense to me to use the
> access
> > token though, and have kubectl responsible to refresh it.
> I think what you are describing is similar to how OpenStack works
> where you get a Keystone token after authenticating?

Not sure, I don't know the details of OpenStack or Keystone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160919/b951cf1c/attachment.html 

More information about the keycloak-dev mailing list