On 17.10.22 17:29, Sam Hartman wrote:
That * Gives us a second source of sso * still leaves tracker wanting to consume client certs * As far as I can tell keycloak can consume but not produce client certs * Even if it can produce client certs we have all the usability challenges of client certs
But is there a technical reason for tracker.d.o to do client certs in the first place? It's easy for a first-party d.o service running on DSA machines to enable OpenID Connect-based SSO against Salsa. And that only requires minor changes to the code to get the username from the slightly different HTTP header.
If there are API clients talking to it, it might be slightly more involving to setup - but it's not like other people haven't had to deal with getting OIDC tokens for various APIs before. :)
Kind regards Philipp Kern
