[keycloak-dev] generic cli sso utility
Bill Burke
bburke at redhat.com
Mon Aug 14 09:56:32 EDT 2017
You can't use direct grant as the CLI won't know what credential input
is required. i.e. pw only, pw + otp, pw + sms, etc.... Right now the CLI
tool I wrote uses the KeycloakInstalled stuff you did Stian and stores
tokens in a hidden directory.
I would eventually like to make it RSH friendly and define a flow that
was text based and displayable to the console. All with kerberos and
client cert support too. Maybe this is something we can do with a
text-based browser (Lynx)? Not sure how KeycloakInstalled would detect
this and be able to run it though. Also configuratoin for kerveros and
client cert would be problematic.
On 8/14/17 7:08 AM, Stian Thorgersen wrote:
> For this exact reason it can't use the browser based flow rather it
> should the direct grant (or some other flow?!?).
>
> On 4 August 2017 at 10:09, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> I wonder if it's possible to have CLI utility, which is able to read
> HTML with the form and challenge user based on that? For example
> once it
> receives the HTML like this:
>
> <form>
> Username: <input name="username" />
> Password: <input name="password" type="password" />
> </form>
>
> Then in command line, user will be challenged for username and
> password.
>
> I am not sure if it's doable in practice and how much work it is.
> Sounds
> like re-implementing browser in command line. But maybe something like
> this exists already?
>
> BTV. Some things will never work in CLI in my opinion. For example:
> - Registration with captcha
> - TOTP setup
> - Broker login (but hopefully some brokers offer alternatives)
>
> Marek
>
>
> On 28/07/17 22:36, Bill Burke wrote:
> > I've developed a small command line utility around Keycloak
> Installed.
> > The idea is that this utility performs a login with keycloak to
> obtain
> > an access token. This utility saves the access and refresh
> token in a
> > file (similar to how ssh does in .ssh). Then bash scripts can be
> used to
> > export the access token as an environment variable so it can be
> used by
> > other command line utilities.
> >
> >
> >
> https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java
> <https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/installed/src/main/java/org/keycloak/adapters/installed/KeycloakCliSso.java>
> >
> >
> https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso
> <https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso>
> >
> >
> > Eventually I'm thinking of creating a text/plain protocol with
> Keycloak
> > server so that launching a browser or cutting/pasting between the
> > command line window and browser isn't a requirement. It woudl be
> a plain
> > text challenge response protocol. This would require a bit more
> work as
> > it would require reworking all of our built in authenticators and
> > required action plugins.
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
More information about the keycloak-dev
mailing list