[keycloak-dev] Remove kcinit and text-based authentication flows
Stian Thorgersen
sthorger at redhat.com
Thu Sep 19 07:47:27 EDT 2019
We only want to remove kcinit work in KeycloakInstalled. In fact it is
currently broken afaik due to the kcinit stuff.
On Thu, 19 Sep 2019 at 10:17, Marek Posolda <mposolda at redhat.com> wrote:
> I don't think we remove KeycloakInstalled. We may just need to revert to
> the state before kcinit was introduced.
>
> Marek
>
> On 19. 09. 19 9:59, Thomas Darimont wrote:
>
> Hello,
>
> The KeycloakInstalled is part of the keycloak-installed-adapter which is
> used by some folks to authenticate Desktop Apps (via a browser based flow).
> Do you really want to remove KeycloakInstalled completely or just the CLI
> based interaction logic?
>
> Cheers,
> Thomas
>
> On Thu, 19 Sep 2019 at 09:53, Marek Posolda <mposolda at redhat.com> wrote:
>
>> It seems that CloudTrust team already made kcinit tests passing in their
>> prototype for Multi-factor authentication. So removing this now may not
>> be so urgent from this perspective - it likely won't help the work
>> regarding WebAuthn and authentication flows to be finished earlier...
>> But will be good to doublecheck.
>>
>> Marek
>>
>> On 19. 09. 19 9:31, Stian Thorgersen wrote:
>> > https://issues.jboss.org/browse/KEYCLOAK-11490
>> >
>> > On Wed, 18 Sep 2019 at 19:15, Stian Thorgersen <sthorger at redhat.com
>> > <mailto:sthorger at redhat.com>> wrote:
>> >
>> > It may be a bit of work to actually get rid of this though. A few
>> > things that needs removing at least:
>> >
>> > * There's both a Java and a Go kcinit
>> > * Tests - I think they even checkout and build the kcinit go library
>> > * Auth flow stuff, including all the duplicated code/classes for
>> > the text mode
>> > * KeycloakInstalled
>> > * Probably other things as well....
>> >
>> > It does make a lot of sense to get this done though in relation to
>> > the auth work.
>> >
>> > On Wed, 18 Sep 2019, 19:12 Stian Thorgersen, <sthorger at redhat.com
>> > <mailto:sthorger at redhat.com>> wrote:
>> >
>> > kc-init was never released or documented. It never got beyond
>> > a prototype. As such it can be removed without any deprecation
>> > period.
>> >
>> > We never used it in OpenShift integration, and have no plans
>> > of doing so.
>> >
>> >
>> > On Wed, 18 Sep 2019, 16:10 Stefan Guilhen,
>> > <sguilhen at redhat.com <mailto:sguilhen at redhat.com>> wrote:
>> >
>> > Stian has sent an e-mail to kc-user about a week ago, no
>> > replies so far.
>> >
>> > On Wed, Sep 18, 2019 at 10:50 AM Hynek Mlnarik
>> > <hmlnarik at redhat.com <mailto:hmlnarik at redhat.com>> wrote:
>> >
>> > +1 from dev perspective. I believe it is worth
>> > checking with keycloak-user
>> > as well.
>> >
>> > I guess deprecation period would be needed. IIRC, this
>> > was added with OSIN
>> > replacement in mind [1]. Is this plan obsoleted?
>> >
>> > [1]
>> >
>> https://github.com/keycloak/openshift-integration/blob/master/README.md
>> >
>> > On Wed, Sep 18, 2019 at 2:30 PM Marek Posolda
>> > <mposolda at redhat.com <mailto:mposolda at redhat.com>>
>> wrote:
>> >
>> > > +1
>> > >
>> > > Do we have a chance to do it now or is some
>> > "deprecation period" needed?
>> > > It may help to save some work with refactoring of
>> > authentication flows,
>> > > which will be required for multi-token and step-up
>> > authentication support.
>> > >
>> > > Marek
>> > >
>> > > On 06. 09. 19 11:54, Bruno Oliveira wrote:
>> > > > +1
>> > > >
>> > > > On Fri, Sep 6, 2019 at 6:48 AM Stian Thorgersen
>> > <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>> > > wrote:
>> > > >> kcinit and it's associated text-based
>> > authentication flows adds quite a
>> > > bit
>> > > >> of complexity. It was never fully completed and
>> > we don't have capacity
>> > > to
>> > > >> complete it.
>> > > >>
>> > > >> Text-based authentication flows are also not
>> > really all that useful.
>> > > There
>> > > >> are other better approaches to authenticate
>> > devices without a web
>> > > browser,
>> > > >> and when there is a web browser that should be
>> > used rather than cli.
>> > > >>
>> > > >> I propose we remove both kcinit as well as the
>> > text-based authentication
>> > > >> flows. We also need to revert KeycloakInstalled
>> > to how it was prior to
>> > > this
>> > > >> was added as it is currently fairly broken.
>> > > >> _______________________________________________
>> > > >> keycloak-dev mailing list
>> > > >> keycloak-dev at lists.jboss.org
>> > <mailto:keycloak-dev at lists.jboss.org>
>> > > >>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > > >
>> > > >
>> > >
>> > > _______________________________________________
>> > > keycloak-dev mailing list
>> > > keycloak-dev at lists.jboss.org
>> > <mailto:keycloak-dev at lists.jboss.org>
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > <mailto:keycloak-dev at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> >
>> >
>> > --
>> >
>> > Stefan Guilhen
>> >
>> > Principal Software Engineer
>> >
>> > Red Hat<https://www.redhat.com/>
>> >
>> > sguilhen at redhat.com <mailto:sguilhen at redhat.com> IM:
>> sguilhen
>> >
>> > @RedHat <https://twitter.com/redhat> Red Hat
>> > <https://www.linkedin.com/company/red-hat> Red Hat
>> > <https://www.facebook.com/RedHatInc>
>> > <https://www.redhat.com/>
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
More information about the keycloak-dev
mailing list