[keycloak-dev] generic cli sso utility
Bill Burke
bburke at redhat.com
Tue Aug 15 11:47:24 EDT 2017
The end goal I want is that for CLI SSO, Keycloak is the SSO mechanism
that can do kerberos, client-cert, or whatever mechanism the admin
desires, and specific app CLI's only worry about propagating bearer
tokens. More comments inline:
On 8/15/17 2:46 AM, Stian Thorgersen wrote:
> I don't think leveraging a text-based browser is a good idea:
>
> * No-one has one installed and they suck big time. You probably need
> Cygwin on Windows to get one as well
> * Would require special themes to make anything that would be remotely
> usable
> * Not always usable on a remote shell. You need to do ssh (and other
> things) with special commands to have an emulated terminal rather than
> just a stream of characters
>
> As separate flow and/or extending direct grant to have some sort of
> challenge/response would probably be better.
>
> Thinking about 3 different use-cases for the CLI:
>
> * Desktop - in this case the system browser is probably the best
> option as there's then SSO between web and CLIs and there's the best
> UI available
I like KeycloakInstalled, but its still a bit quirky. Person has to
manually close the browser. KeycloakInstalled also probably needs a
themeable splash screen after authentication completes.
> * Server/RSH - in this case wouldn't private/public keys be the best
> option? SSH does this very well with RSA keys. We could even just use
> the same keys as SSH by allowing users to upload their public SSH key
Maybe its just a matter of doing an SSO login once and creating and
storing an offline token? Could even protect the token by encrypting it
with a local pin/pw.
Bill
More information about the keycloak-dev
mailing list