On Tue, 2025-12-02 at 18:02 +0100, Sumit Bose via sssd-devel wrote: > Am Tue, Dec 02, 2025 at 04:53:18PM +0100 schrieb Timo Eisenmann via > sssd-devel: > > Hello, > > > > I am currently looking into sssd-idp for authentication with > > Keycloak. > > And that works fine, but I would be interested in accessing the > > tokens > > (access, refresh, id) after logging in. > > AFAICS, those are neither passed through by PAM with forward_pass, > > nor > > is there any sssctl subcommand to do this. > > > > Is there some way to do this currently, or if not, is this planned > > in > > some way? > > Hi, > > yes, this is planned, but I was busy with other tasks recently. > > The idea is to let oidc_child return them to the backend after success > authentication so that they can be stored together with the other user > data in the cache. >
Mind if I take a shot at it?
I would store them in some new attrs {access,id,refresh}Token under the
user.
> The next question would be how to make the best use of it. I was
> thinking about a utility which can put them in the profiles of typical
> web browsers in the user's home directory so that they are available for
> the user without having to authenticate a second time in the browsers.
>
That would be my use case too.
But instead of a utility specifically for provisioning a certain set of
browsers, I would take a more generic approach.
That is, a utility that just extracts the tokens from the cache.
The browser-specific provisioning with the tokens could then be done by
more specialized utilities/scripts.
An option to refresh the token might also be convenient.
E.g. something along the lines of:
sss_token --refresh --get-access-token user@keycloak
would refresh the tokens, then return the access_token.
> HTH
>
> bye,
> Sumit
>
> >
> > Regards,
> > Timo
>
>
>
> > --
> > _______________________________________________
> > sssd-devel mailing list -- [email protected]
> > To unsubscribe send an email to
> > [email protected]
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/[email protected]
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
signature.asc
Description: This is a digitally signed message part
-- _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
