sso-cli 1.0.0__tar.gz

sso_cli-1.0.0/PKG-INFO

@@ -0,0 +1,85 @@
+Metadata-Version: 2.4
+Name: sso-cli
+Version: 1.0.0
+Summary: SSO auth CLI - Keycloak/OIDC token & roles
+Author: SSO CLI Contributors
+License-Expression: MIT
+Keywords: sso,auth,keycloak,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.7
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: pyperclip>=1.8.2
+Requires-Dist: rich>=13.0.0
+Requires-Dist: inquirer>=3.0.0
+Requires-Dist: keyring>=24.0.0
+
+# sso-cli
+
+SSO auth CLI - Keycloak/OIDC tokens & roles.
+
+CLI tool for authenticating with Keycloak/OIDC providers, fetching access tokens, and listing user roles. Supports multiple environments, password and client credentials authentication, with secrets stored in the system keyring. With prefix matching for quick access and organized role display from both JWT tokens and userinfo endpoints.
+
+## Install
+
+```bash
+pip install sso-cli
+```
+
+## Usage
+
+```bash
+# Get token
+sso prod user@example.com
+
+# Prefix matching (auto-complete)
+sso p u          # → sso prod user@example.com (if unique)
+sso prod u       # → error if ambiguous
+
+# List roles (JWT + UserInfo)
+sso prod user@example.com -r
+
+# List/Remove
+sso -l env
+sso -l user
+sso -d env prod
+sso -d user prod user@example.com
+
+# Interactive
+sso
+```
+
+## Config
+
+Configuration is stored in `~/sso_config.yaml` (auto-created by the app). All setup is done through the interactive flow - no manual YAML editing required.
+
+Example structure (for reference):
+
+```yaml
+environments:
+  prod:
+    sso_url: https://sso.example.com
+    realm: Production
+    client_id: my-client-id  # optional, prompted if needed
+
+users:
+  prod:
+    user@example.com:
+      auth_type: password
+      email: user@example.com
+    api-client:
+      auth_type: client_credentials
+      client_id: api-client
+```
+
+Secrets (passwords and client secrets) are stored securely in the system keyring. Environments and users are automatically created on first use through an interactive setup flow. The tool supports optional client_id configuration per environment for Keycloak instances that require it.

sso_cli-1.0.0/README.md

@@ -0,0 +1,59 @@
+# sso-cli
+
+SSO auth CLI - Keycloak/OIDC tokens & roles.
+
+CLI tool for authenticating with Keycloak/OIDC providers, fetching access tokens, and listing user roles. Supports multiple environments, password and client credentials authentication, with secrets stored in the system keyring. With prefix matching for quick access and organized role display from both JWT tokens and userinfo endpoints.
+
+## Install
+
+```bash
+pip install sso-cli
+```
+
+## Usage
+
+```bash
+# Get token
+sso prod user@example.com
+
+# Prefix matching (auto-complete)
+sso p u          # → sso prod user@example.com (if unique)
+sso prod u       # → error if ambiguous
+
+# List roles (JWT + UserInfo)
+sso prod user@example.com -r
+
+# List/Remove
+sso -l env
+sso -l user
+sso -d env prod
+sso -d user prod user@example.com
+
+# Interactive
+sso
+```
+
+## Config
+
+Configuration is stored in `~/sso_config.yaml` (auto-created by the app). All setup is done through the interactive flow - no manual YAML editing required.
+
+Example structure (for reference):
+
+```yaml
+environments:
+  prod:
+    sso_url: https://sso.example.com
+    realm: Production
+    client_id: my-client-id  # optional, prompted if needed
+
+users:
+  prod:
+    user@example.com:
+      auth_type: password
+      email: user@example.com
+    api-client:
+      auth_type: client_credentials
+      client_id: api-client
+```
+
+Secrets (passwords and client secrets) are stored securely in the system keyring. Environments and users are automatically created on first use through an interactive setup flow. The tool supports optional client_id configuration per environment for Keycloak instances that require it.

sso_cli-1.0.0/pyproject.toml

@@ -0,0 +1,44 @@
+[build-system]
+requires = ["setuptools>=61.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "sso-cli"
+version = "1.0.0"
+description = "SSO auth CLI - Keycloak/OIDC token & roles"
+readme = "README.md"
+requires-python = ">=3.7"
+license = "MIT"
+authors = [
+    {name = "SSO CLI Contributors"}
+]
+keywords = ["sso", "auth", "keycloak", "cli"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Topic :: Security",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.7",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+dependencies = [
+    "httpx>=0.24.0",
+    "pyyaml>=6.0.0",
+    "pyperclip>=1.8.2",
+    "rich>=13.0.0",
+    "inquirer>=3.0.0",
+    "keyring>=24.0.0",
+]
+
+[project.scripts]
+sso = "sso_cli.cli:main"
+
+[tool.setuptools]
+packages = ["sso_cli"]
+
+[tool.setuptools.package-data]
+sso_cli = ["py.typed"]

sso_cli-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

sso_cli-1.0.0/sso_cli/__init__.py

@@ -0,0 +1,8 @@
+"""SSO CLI - Keycloak auth tool"""
+
+from .auth import SSOAuthenticator
+from .config import SSOConfigManager
+from .secrets import SecretManager
+
+__all__ = ["SSOAuthenticator", "SSOConfigManager", "SecretManager"]
+

sso_cli-1.0.0/sso_cli/auth.py

@@ -0,0 +1,319 @@
+"""SSO authentication"""
+
+import base64
+import json
+import httpx
+import logging
+from typing import Dict, Any, Optional, List, Tuple
+from getpass import getpass
+from rich.console import Console
+from rich.prompt import Prompt
+
+from .config import SSOConfigManager
+from .secrets import SecretManager
+
+logger = logging.getLogger(__name__)
+console = Console()
+
+
+class SSOAuthenticator:
+    def __init__(self):
+        self.config = {}
+        self.config_manager = SSOConfigManager()
+        self.load_config()
+    
+    def load_config(self):
+        self.config = self.config_manager.load()
+        if not self.config:
+            self.config = {"environments": {}, "users": {}}
+        if "environments" not in self.config:
+            self.config["environments"] = {}
+        if "users" not in self.config:
+            self.config["users"] = {}
+    
+    def save_config(self) -> bool:
+        return self.config_manager.save(self.config)
+    
+    def get_environments(self) -> Dict[str, Dict[str, str]]:
+        return self.config.get("environments", {})
+    
+    def get_environment(self, env_key: str) -> Optional[Dict[str, str]]:
+        return self.get_environments().get(env_key)
+    
+    def create_environment(self, env_key: str = None) -> Dict[str, str]:
+        if not env_key:
+            env_key = Prompt.ask("Environment key")
+        console.print(f"[dim]Environment '{env_key}' not found. Creating...[/dim]\n")
+        sso_domain = Prompt.ask("SSO domain", default=f"sso.{env_key}.com")
+        realm = Prompt.ask("Realm", default="master")
+        client_id = Prompt.ask("Client ID (optional)", default="").strip()
+        
+        domain = sso_domain.strip()
+        if domain.startswith('https://'):
+            domain = domain[8:]
+        elif domain.startswith('http://'):
+            domain = domain[7:]
+        domain = domain.rstrip('/')
+        sso_url = f"https://{domain}"
+        
+        env_config = {"sso_url": sso_url, "realm": realm}
+        if client_id:
+            env_config["client_id"] = client_id
+        if "environments" not in self.config:
+            self.config["environments"] = {}
+        self.config["environments"][env_key] = env_config
+        self.save_config()
+        console.print(f"[green]Environment '{env_key}' created[/green]")
+        return env_config
+    
+    def get_sso_url(self, env_key: str = None) -> str:
+        if not env_key:
+            env_key = Prompt.ask("Environment key")
+        env = self.get_environment(env_key)
+        if not env:
+            env = self.create_environment(env_key)
+        return f"{env['sso_url']}/realms/{env['realm']}"
+    
+    def remove_environment(self, env_key: str) -> bool:
+        if "environments" not in self.config:
+            return False
+        if env_key not in self.config["environments"]:
+            return False
+        if "users" in self.config and env_key in self.config["users"]:
+            for user_key in list(self.config["users"][env_key].keys()):
+                SecretManager.delete_secret(env_key, user_key, "password")
+                SecretManager.delete_secret(env_key, user_key, "client_secret")
+            del self.config["users"][env_key]
+        del self.config["environments"][env_key]
+        self.save_config()
+        return True
+    
+    def remove_user(self, environment: str, user_key: str) -> bool:
+        if "users" not in self.config:
+            return False
+        if environment not in self.config["users"]:
+            return False
+        if user_key not in self.config["users"][environment]:
+            return False
+        del self.config["users"][environment][user_key]
+        SecretManager.delete_secret(environment, user_key, "password")
+        SecretManager.delete_secret(environment, user_key, "client_secret")
+        self.save_config()
+        return True
+    
+    def get_available_users_for_environment(self, environment: str) -> Dict[str, Dict[str, str]]:
+        return self.config.get("users", {}).get(environment, {})
+    
+    def find_user_by_key(self, environment: str, user_key: str) -> Optional[str]:
+        users = self.get_available_users_for_environment(environment)
+        if user_key in users:
+            return user_key
+        for key, config in users.items():
+            email = config.get("email", "")
+            if email and email.split("@")[0] == user_key:
+                return key
+        
+        matches = []
+        for key, config in users.items():
+            email = config.get("email", "")
+            client_id = config.get("client_id", "")
+            if (key.startswith(user_key) or 
+                (email and email.split("@")[0].startswith(user_key)) or
+                (client_id and client_id.startswith(user_key))):
+                display = email or client_id or key
+                matches.append((key, display))
+        
+        if len(matches) == 1:
+            return matches[0][0]
+        return None
+    
+    def find_users_by_prefix(self, environment: str, prefix: str) -> List[Tuple[str, str]]:
+        users = self.get_available_users_for_environment(environment)
+        matches = []
+        for key, config in users.items():
+            email = config.get("email", "")
+            client_id = config.get("client_id", "")
+            display = email or client_id or key
+            
+            if (key.startswith(prefix) or 
+                (email and email.split("@")[0].startswith(prefix)) or
+                (client_id and client_id.startswith(prefix))):
+                matches.append((key, display))
+        return matches
+    
+    def find_environment_by_prefix(self, prefix: str) -> Optional[str]:
+        envs = self.get_environments()
+        matches = [key for key in envs.keys() if key.startswith(prefix)]
+        if len(matches) == 1:
+            return matches[0]
+        return None
+    
+    def find_environments_by_prefix(self, prefix: str) -> List[str]:
+        envs = self.get_environments()
+        return [key for key in envs.keys() if key.startswith(prefix)]
+    
+    def get_user_credentials(self, environment: str, user_key: str) -> tuple[str, str, str]:
+        if "users" not in self.config:
+            self.config["users"] = {}
+        if environment not in self.config["users"]:
+            self.config["users"][environment] = {}
+        
+        actual_key = self.find_user_by_key(environment, user_key)
+        if not actual_key:
+            actual_key = user_key
+        
+        if actual_key not in self.config["users"][environment]:
+            if "@" in actual_key:
+                self.config["users"][environment][actual_key] = {
+                    "auth_type": "password",
+                    "email": actual_key
+                }
+                password = getpass(f"Password for {actual_key}: ")
+                SecretManager.set_secret(environment, actual_key, "password", password)
+                console.print("[green]Saved to keyring[/green]")
+            else:
+                self.config["users"][environment][actual_key] = {
+                    "auth_type": "client_credentials",
+                    "client_id": actual_key
+                }
+                client_secret = getpass(f"Client Secret for {actual_key}: ")
+                SecretManager.set_secret(environment, actual_key, "client_secret", client_secret)
+                console.print("[green]Saved to keyring[/green]")
+            self.save_config()
+        
+        user_config = self.config["users"][environment][actual_key]
+        auth_type = user_config.get("auth_type", "password")
+        
+        if auth_type == "client_credentials":
+            client_id = user_config.get("client_id")
+            if not client_id:
+                raise ValueError(f"Missing client_id for {actual_key}")
+            client_secret = SecretManager.get_secret(environment, actual_key, "client_secret")
+            if not client_secret:
+                client_secret = getpass(f"Client Secret for {client_id}: ")
+                SecretManager.set_secret(environment, actual_key, "client_secret", client_secret)
+                console.print("[green]Saved to keyring[/green]")
+            return client_id, client_secret, auth_type
+        else:
+            email = user_config.get("email")
+            if not email:
+                raise ValueError(f"Missing email for {actual_key}")
+            password = SecretManager.get_secret(environment, actual_key, "password")
+            if not password:
+                password = getpass(f"Password for {email}: ")
+                SecretManager.set_secret(environment, actual_key, "password", password)
+                console.print("[green]Saved to keyring[/green]")
+            return email, password, auth_type
+    
+    async def get_token(self, environment: str, user_key: str) -> str:
+        sso_url = self.get_sso_url(environment)
+        cred1, cred2, auth_type = self.get_user_credentials(environment, user_key)
+        token_url = f"{sso_url}/protocol/openid-connect/token"
+        env_config = self.get_environment(environment) or {}
+        client_id = env_config.get("client_id")
+        
+        if auth_type == "client_credentials":
+            data = {"grant_type": "client_credentials", "client_id": cred1, "client_secret": cred2}
+        else:
+            data = {"grant_type": "password", "username": cred1, "password": cred2}
+            if client_id:
+                data["client_id"] = client_id
+        
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.post(token_url, data=data)
+                if response.status_code == 401:
+                    if auth_type == "password":
+                        if not client_id:
+                            console.print("[yellow]This environment may require a client_id.[/yellow]")
+                            new_client_id = Prompt.ask("Client ID (or press Enter to skip)", default="").strip()
+                            if new_client_id:
+                                env_config = self.get_environment(environment) or {}
+                                env_config["client_id"] = new_client_id
+                                if "environments" not in self.config:
+                                    self.config["environments"] = {}
+                                self.config["environments"][environment] = env_config
+                                self.save_config()
+                                client_id = new_client_id
+                                console.print("[green]Client ID saved[/green]")
+                        
+                        console.print("[yellow]Auth failed. Enter new password (or press Enter to retry with same):[/yellow]")
+                        new_password = getpass(f"Password for {cred1}: ")
+                        if new_password:
+                            SecretManager.set_secret(environment, user_key, "password", new_password)
+                            console.print("[green]Saved to keyring[/green]")
+                            data = {"grant_type": "password", "username": cred1, "password": new_password}
+                        else:
+                            data = {"grant_type": "password", "username": cred1, "password": cred2}
+                        if client_id:
+                            data["client_id"] = client_id
+                    else:
+                        console.print("[yellow]Auth failed. Enter new client secret (or press Enter to retry with same):[/yellow]")
+                        new_secret = getpass(f"Client Secret for {cred1}: ")
+                        if new_secret:
+                            SecretManager.set_secret(environment, user_key, "client_secret", new_secret)
+                            console.print("[green]Saved to keyring[/green]")
+                            data = {"grant_type": "client_credentials", "client_id": cred1, "client_secret": new_secret}
+                        else:
+                            data = {"grant_type": "client_credentials", "client_id": cred1, "client_secret": cred2}
+                    async with httpx.AsyncClient() as retry_client:
+                        retry_response = await retry_client.post(token_url, data=data)
+                        retry_response.raise_for_status()
+                        return retry_response.json()["access_token"]
+                response.raise_for_status()
+                return response.json()["access_token"]
+        except httpx.HTTPStatusError as e:
+            if e.response.status_code == 401:
+                raise ValueError("Authentication failed")
+            raise
+        except Exception as e:
+            logger.error(f"Error: {e}")
+            raise
+    
+    def _decode_jwt_payload(self, token: str) -> Dict[str, Any]:
+        try:
+            parts = token.split('.')
+            if len(parts) != 3:
+                return {}
+            payload = parts[1]
+            payload += '=' * (4 - len(payload) % 4) if len(payload) % 4 else ''
+            decoded = base64.urlsafe_b64decode(payload)
+            return json.loads(decoded)
+        except Exception:
+            return {}
+    
+    def _extract_roles_from_payload(self, payload: Dict[str, Any]) -> List[str]:
+        roles = []
+        if "realm_access" in payload and isinstance(payload["realm_access"], dict):
+            if "roles" in payload["realm_access"]:
+                roles.extend(payload["realm_access"]["roles"])
+        if "resource_access" in payload and isinstance(payload["resource_access"], dict):
+            for resource, access in payload["resource_access"].items():
+                if isinstance(access, dict) and "roles" in access:
+                    for role in access["roles"]:
+                        roles.append(f"{resource}:{role}")
+        return sorted(roles)
+    
+    async def get_user_roles(self, environment: str, user_key: str) -> Dict[str, List[str]]:
+        token = await self.get_token(environment, user_key)
+        jwt_payload = self._decode_jwt_payload(token)
+        jwt_roles = self._extract_roles_from_payload(jwt_payload)
+        
+        sso_url = self.get_sso_url(environment)
+        userinfo_url = f"{sso_url}/protocol/openid-connect/userinfo"
+        headers = {"Authorization": f"Bearer {token}"}
+        userinfo_roles = []
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.get(userinfo_url, headers=headers)
+                response.raise_for_status()
+                userinfo = response.json()
+                userinfo_roles = self._extract_roles_from_payload(userinfo)
+        except Exception as e:
+            logger.error(f"Error fetching userinfo: {e}")
+        
+        return {
+            "jwt": jwt_roles,
+            "userinfo": userinfo_roles
+        }
+

sso_cli-1.0.0/sso_cli/cli.py

@@ -0,0 +1,333 @@
+"""CLI interface"""
+
+import sys
+import asyncio
+import argparse
+import logging
+from typing import List
+import inquirer
+from rich.console import Console
+from rich.prompt import Prompt
+from rich.text import Text
+
+from .auth import SSOAuthenticator
+from .utils import copy_to_clipboard
+
+logging.basicConfig(level=logging.WARNING)
+logger = logging.getLogger(__name__)
+logging.getLogger("httpx").setLevel(logging.WARNING)
+console = Console()
+
+
+class ModernSelector:
+    def __init__(self):
+        self.console = Console()
+    
+    def select_from_list(self, title: str, options: List[str]) -> int:
+        questions = [inquirer.List('choice', message=title, choices=options, carousel=True)]
+        try:
+            answers = inquirer.prompt(questions)
+            if answers is None:
+                self.console.print("\n[yellow]Exiting...[/yellow]")
+                sys.exit(0)
+            return options.index(answers['choice'])
+        except (KeyboardInterrupt, EOFError):
+            self.console.print("\n[yellow]Exiting...[/yellow]")
+            sys.exit(0)
+
+
+def show_help():
+    console.print()
+    console.print("[bold green]SSO CLI[/bold green]\n")
+    console.print("[bold]Commands:[/bold]")
+    cmd1 = Text("  sso ")
+    cmd1.append("[env]", style="dim")
+    cmd1.append(" ")
+    cmd1.append("[user]", style="dim")
+    console.print(cmd1)
+    cmd2 = Text("  sso ")
+    cmd2.append("[env]", style="dim")
+    cmd2.append(" ")
+    cmd2.append("[user]", style="dim")
+    cmd2.append(" -r, --roles")
+    console.print(cmd2)
+    console.print("  sso                                (interactive)")
+    console.print("\n[bold]List:[/bold]")
+    console.print("  sso -l, --list env")
+    console.print("  sso -l, --list user")
+    console.print("\n[bold]Remove:[/bold]")
+    cmd3 = Text("  sso -d, --remove env ")
+    cmd3.append("[env]", style="dim")
+    console.print(cmd3)
+    cmd4 = Text("  sso -d, --remove user ")
+    cmd4.append("[env]", style="dim")
+    cmd4.append(" ")
+    cmd4.append("[user]", style="dim")
+    console.print(cmd4)
+    console.print("\n[bold]Options:[/bold]")
+    console.print("  -h, --help                          Show help")
+    console.print()
+
+
+async def get_token_non_interactive(environment: str, user: str) -> str:
+    authenticator = SSOAuthenticator()
+    return await authenticator.get_token(environment, user)
+
+
+async def get_user_roles_non_interactive(environment: str, user: str):
+    authenticator = SSOAuthenticator()
+    return await authenticator.get_user_roles(environment, user)
+
+
+def resolve_environment(authenticator: SSOAuthenticator, env_arg: str) -> str:
+    env_key = authenticator.find_environment_by_prefix(env_arg)
+    if env_key:
+        return env_key
+    env_matches = authenticator.find_environments_by_prefix(env_arg)
+    if len(env_matches) > 1:
+        console.print(f"[red]Ambiguous environment '{env_arg}':[/red]")
+        for match in env_matches:
+            console.print(f"  {match}")
+        sys.exit(1)
+    return env_matches[0] if env_matches else env_arg
+
+
+def resolve_user(authenticator: SSOAuthenticator, env_key: str, user_arg: str) -> str:
+    user_key = authenticator.find_user_by_key(env_key, user_arg)
+    if user_key:
+        return user_key
+    user_matches = authenticator.find_users_by_prefix(env_key, user_arg)
+    if len(user_matches) > 1:
+        console.print(f"[red]Ambiguous user '{user_arg}' in '{env_key}':[/red]")
+        for key, display in user_matches:
+            console.print(f"  {display} ({key})")
+        sys.exit(1)
+    return user_matches[0][0] if user_matches else user_arg
+
+
+async def show_roles(authenticator: SSOAuthenticator, env_key: str, user_key: str):
+    console.print(f"[yellow]Fetching roles...[/yellow]")
+    try:
+        roles_data = await authenticator.get_user_roles(env_key, user_key)
+        console.print()
+        console.print("[bold green]Roles[/bold green]\n")
+        if roles_data["jwt"]:
+            console.print("[bold]JWT Token:[/bold]")
+            console.print("\n".join([f"  • {r}" for r in roles_data["jwt"]]))
+        if roles_data["userinfo"]:
+            if roles_data["jwt"]:
+                console.print()
+            console.print("[bold]UserInfo Endpoint:[/bold]")
+            console.print("\n".join([f"  • {r}" for r in roles_data["userinfo"]]))
+        if not roles_data["jwt"] and not roles_data["userinfo"]:
+            console.print("[yellow]No roles[/yellow]")
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        sys.exit(1)
+
+
+async def show_token(authenticator: SSOAuthenticator, env_key: str, user_key: str):
+    console.print(f"[yellow]Authenticating...[/yellow]")
+    try:
+        token = await authenticator.get_token(env_key, user_key)
+        console.print()
+        if copy_to_clipboard(token):
+            console.print("[bold green]Token copied![/bold green]")
+        else:
+            console.print(f"[bold]Token:[/bold]\n{token}")
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        sys.exit(1)
+
+
+async def main_async():
+    parser = argparse.ArgumentParser(description="SSO CLI", add_help=False)
+    parser.add_argument('environment', nargs='?', help='Environment')
+    parser.add_argument('user', nargs='?', help='User')
+    parser.add_argument('-r', '--roles', action='store_true', help='List roles')
+    parser.add_argument('-l', '--list', metavar='TYPE', help='List: env/envs or user/users')
+    parser.add_argument('-d', '--remove', nargs='+', metavar=('TYPE', 'ID'), help='Remove: env <id> or user <env> <user>')
+    parser.add_argument('-h', '--help', action='store_true', help='Show help')
+    
+    args = parser.parse_args()
+    
+    if args.help:
+        show_help()
+        return
+    
+    if args.list:
+        list_type = args.list.lower()
+        authenticator = SSOAuthenticator()
+        
+        if list_type in ['env', 'envs', 'environment', 'environments']:
+            envs = authenticator.get_environments()
+            if not envs:
+                console.print("[dim]No environments configured[/dim]")
+            else:
+                for env_key, config in envs.items():
+                    sso_url = config.get("sso_url", "")
+                    realm = config.get("realm", "")
+                    console.print(f"{env_key}: {sso_url}/realms/{realm}")
+        
+        elif list_type in ['user', 'users']:
+            all_users = authenticator.config.get("users", {})
+            if not all_users:
+                console.print("[dim]No users configured[/dim]")
+            else:
+                for env_key, users in all_users.items():
+                    if users:
+                        console.print(f"\n{env_key}:")
+                        for user_key, config in users.items():
+                            email = config.get("email")
+                            client_id = config.get("client_id")
+                            auth_type = config.get("auth_type", "password")
+                            display = email or client_id or user_key
+                            console.print(f"  {user_key}: {display} ({auth_type})")
+        else:
+            console.print(f"[red]Invalid list type: {args.list}[/red]")
+            console.print("Use: env/envs or user/users")
+            sys.exit(1)
+        return
+    
+    if args.remove:
+        if len(args.remove) < 2:
+            console.print("[red]Usage: sso -d <type> <id>[/red]")
+            console.print("  sso -d env <env_id>")
+            console.print("  sso -d user <env_id> <user_id>")
+            sys.exit(1)
+        
+        remove_type = args.remove[0].lower()
+        authenticator = SSOAuthenticator()
+        
+        if remove_type in ['env', 'envs', 'environment', 'environments']:
+            env_id = args.remove[1]
+            if authenticator.remove_environment(env_id):
+                console.print(f"[green]Environment '{env_id}' removed[/green]")
+            else:
+                console.print(f"[red]Environment '{env_id}' not found[/red]")
+                sys.exit(1)
+        
+        elif remove_type in ['user', 'users']:
+            if len(args.remove) < 3:
+                console.print("[red]Usage: sso -d user <env_id> <user_id>[/red]")
+                sys.exit(1)
+            env_id = args.remove[1]
+            user_id = args.remove[2]
+            actual_key = authenticator.find_user_by_key(env_id, user_id)
+            if not actual_key:
+                actual_key = user_id
+            if authenticator.remove_user(env_id, actual_key):
+                console.print(f"[green]User '{actual_key}' removed from '{env_id}'[/green]")
+            else:
+                console.print(f"[red]User '{user_id}' not found in '{env_id}'[/red]")
+                sys.exit(1)
+        else:
+            console.print(f"[red]Invalid remove type: {remove_type}[/red]")
+            console.print("Use: env/envs or user/users")
+            sys.exit(1)
+        return
+    
+    if args.environment and args.user:
+        authenticator = SSOAuthenticator()
+        env_key = resolve_environment(authenticator, args.environment)
+        user_key = resolve_user(authenticator, env_key, args.user)
+        try:
+            if args.roles:
+                roles_data = await get_user_roles_non_interactive(env_key, user_key)
+                if roles_data["jwt"]:
+                    print("JWT Token:")
+                    for role in roles_data["jwt"]:
+                        print(f"  {role}")
+                if roles_data["userinfo"]:
+                    if roles_data["jwt"]:
+                        print()
+                    print("UserInfo Endpoint:")
+                    for role in roles_data["userinfo"]:
+                        print(f"  {role}")
+            else:
+                token = await get_token_non_interactive(env_key, user_key)
+                print(token)
+            return
+        except Exception as e:
+            print(f"Error: {e}", file=sys.stderr)
+            sys.exit(1)
+    
+    if args.environment and not args.user:
+        console.print()
+        console.print("[bold green]SSO CLI[/bold green]\n")
+        authenticator = SSOAuthenticator()
+        env_key = resolve_environment(authenticator, args.environment)
+        if env_key not in authenticator.get_environments():
+            authenticator.create_environment(env_key)
+        env_users = authenticator.get_available_users_for_environment(env_key)
+        if not env_users:
+            console.print("[dim]No users. Creating first user...[/dim]\n")
+            selected_user = Prompt.ask("User key")
+        else:
+            selector = ModernSelector()
+            user_options = []
+            for user_key, config in env_users.items():
+                display = config.get("email") or config.get("client_id") or user_key
+                user_options.append(display)
+            user_choice = selector.select_from_list("User", user_options)
+            selected_user = list(env_users.keys())[user_choice]
+        if args.roles:
+            await show_roles(authenticator, env_key, selected_user)
+        else:
+            await show_token(authenticator, env_key, selected_user)
+        return
+    
+    if not args.environment and not args.user:
+        console.print()
+        console.print("[bold green]SSO CLI[/bold green]\n")
+        authenticator = SSOAuthenticator()
+        selector = ModernSelector()
+        envs = authenticator.get_environments()
+        
+        if not envs:
+            console.print("[dim]First use: creating environment...[/dim]\n")
+            env_key = Prompt.ask("Environment key", default=args.environment if args.environment else None)
+            authenticator.create_environment(env_key)
+            selected_env = env_key
+        else:
+            if args.environment:
+                selected_env = resolve_environment(authenticator, args.environment)
+                if selected_env not in envs:
+                    authenticator.create_environment(selected_env)
+            else:
+                env_options = [env_key for env_key in envs.keys()]
+                env_choice = selector.select_from_list("Environment", env_options)
+                selected_env = list(envs.keys())[env_choice]
+        
+        env_users = authenticator.get_available_users_for_environment(selected_env)
+        if not env_users:
+            console.print("[dim]No users. Creating first user...[/dim]\n")
+            selected_user = Prompt.ask("User key", default=args.user if args.user else None)
+        else:
+            if args.user:
+                selected_user = resolve_user(authenticator, selected_env, args.user)
+            else:
+                user_options = []
+                for user_key, config in env_users.items():
+                    display = config.get("email") or config.get("client_id") or user_key
+                    user_options.append(display)
+                user_choice = selector.select_from_list("User", user_options)
+                selected_user = list(env_users.keys())[user_choice]
+        
+        if args.roles:
+            await show_roles(authenticator, selected_env, selected_user)
+        else:
+            await show_token(authenticator, selected_env, selected_user)
+        return
+    
+    print("Error: Need both env and user", file=sys.stderr)
+    sys.exit(1)
+
+
+def main():
+    try:
+        asyncio.run(main_async())
+    except KeyboardInterrupt:
+        console.print("\n[yellow]Goodbye[/yellow]")
+        sys.exit(0)
+

sso_cli-1.0.0/sso_cli/config.py

@@ -0,0 +1,59 @@
+"""Config management"""
+
+import os
+import logging
+from typing import Dict, Any, Optional
+from pathlib import Path
+
+try:
+    import yaml
+    YAML_AVAILABLE = True
+except ImportError:
+    YAML_AVAILABLE = False
+
+logger = logging.getLogger(__name__)
+
+
+class SSOConfigManager:
+    def __init__(self):
+        self.config_path = self._find_config_path()
+    
+    def _find_config_path(self) -> Optional[Path]:
+        paths = []
+        if "SSO_CONFIG_PATH" in os.environ:
+            paths.append(Path(os.environ["SSO_CONFIG_PATH"]))
+        paths.extend([
+            Path.cwd() / "sso_config.yaml",
+            Path.home() / "sso_config.yaml",
+            Path(__file__).parent.parent / "sso_config.yaml"
+        ])
+        for path in paths:
+            if path.exists():
+                return path
+        return Path.home() / "sso_config.yaml"
+    
+    def load(self) -> Dict[str, Any]:
+        if not YAML_AVAILABLE:
+            raise ImportError("PyYAML required: pip install pyyaml")
+        if not self.config_path or not self.config_path.exists():
+            return {}
+        try:
+            with open(self.config_path, 'r', encoding='utf-8') as f:
+                return yaml.safe_load(f) or {}
+        except Exception as e:
+            logger.error(f"Failed to load config: {e}")
+            return {}
+    
+    def save(self, config: Dict[str, Any]) -> bool:
+        if not YAML_AVAILABLE:
+            raise ImportError("PyYAML required: pip install pyyaml")
+        try:
+            self.config_path.parent.mkdir(parents=True, exist_ok=True)
+            with open(self.config_path, 'w', encoding='utf-8') as f:
+                yaml.dump(config, f, default_flow_style=False, sort_keys=False, allow_unicode=True)
+            os.chmod(self.config_path, 0o600)
+            return True
+        except Exception as e:
+            logger.error(f"Failed to save config: {e}")
+            return False
+

sso_cli-1.0.0/sso_cli/secrets.py

@@ -0,0 +1,58 @@
+"""Secret management via keyring"""
+
+import logging
+
+try:
+    import keyring
+    KEYRING_AVAILABLE = True
+except ImportError:
+    KEYRING_AVAILABLE = False
+
+logger = logging.getLogger(__name__)
+
+
+class SecretManager:
+    SERVICE_NAME = "sso-cli"
+    
+    @staticmethod
+    def get_secret_key(environment: str, user_key: str, secret_type: str) -> str:
+        return f"{environment}:{user_key}:{secret_type}"
+    
+    @staticmethod
+    def get_secret(environment: str, user_key: str, secret_type: str):
+        if not KEYRING_AVAILABLE:
+            raise ImportError("keyring required: pip install keyring")
+        try:
+            key = SecretManager.get_secret_key(environment, user_key, secret_type)
+            return keyring.get_password(SecretManager.SERVICE_NAME, key)
+        except Exception as e:
+            logger.error(f"Keyring error: {e}")
+            return None
+    
+    @staticmethod
+    def set_secret(environment: str, user_key: str, secret_type: str, secret: str) -> bool:
+        if not KEYRING_AVAILABLE:
+            raise ImportError("keyring required: pip install keyring")
+        try:
+            key = SecretManager.get_secret_key(environment, user_key, secret_type)
+            keyring.set_password(SecretManager.SERVICE_NAME, key, secret)
+            return True
+        except Exception as e:
+            logger.error(f"Keyring error: {e}")
+            return False
+    
+    @staticmethod
+    def delete_secret(environment: str, user_key: str, secret_type: str) -> bool:
+        if not KEYRING_AVAILABLE:
+            return False
+        try:
+            key = SecretManager.get_secret_key(environment, user_key, secret_type)
+            keyring.delete_password(SecretManager.SERVICE_NAME, key)
+            return True
+        except Exception as e:
+            error_str = str(e).lower()
+            if "not found" in error_str or "item not found" in error_str or "-25300" in error_str:
+                return True
+            logger.error(f"Keyring error: {e}")
+            return False
+

sso_cli-1.0.0/sso_cli/utils.py

@@ -0,0 +1,12 @@
+"""Utilities"""
+
+import pyperclip
+
+
+def copy_to_clipboard(text: str) -> bool:
+    try:
+        pyperclip.copy(text)
+        return True
+    except Exception:
+        return False
+

sso_cli-1.0.0/sso_cli.egg-info/PKG-INFO

@@ -0,0 +1,85 @@
+Metadata-Version: 2.4
+Name: sso-cli
+Version: 1.0.0
+Summary: SSO auth CLI - Keycloak/OIDC token & roles
+Author: SSO CLI Contributors
+License-Expression: MIT
+Keywords: sso,auth,keycloak,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.7
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.7
+Description-Content-Type: text/markdown
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: pyperclip>=1.8.2
+Requires-Dist: rich>=13.0.0
+Requires-Dist: inquirer>=3.0.0
+Requires-Dist: keyring>=24.0.0
+
+# sso-cli
+
+SSO auth CLI - Keycloak/OIDC tokens & roles.
+
+CLI tool for authenticating with Keycloak/OIDC providers, fetching access tokens, and listing user roles. Supports multiple environments, password and client credentials authentication, with secrets stored in the system keyring. With prefix matching for quick access and organized role display from both JWT tokens and userinfo endpoints.
+
+## Install
+
+```bash
+pip install sso-cli
+```
+
+## Usage
+
+```bash
+# Get token
+sso prod user@example.com
+
+# Prefix matching (auto-complete)
+sso p u          # → sso prod user@example.com (if unique)
+sso prod u       # → error if ambiguous
+
+# List roles (JWT + UserInfo)
+sso prod user@example.com -r
+
+# List/Remove
+sso -l env
+sso -l user
+sso -d env prod
+sso -d user prod user@example.com
+
+# Interactive
+sso
+```
+
+## Config
+
+Configuration is stored in `~/sso_config.yaml` (auto-created by the app). All setup is done through the interactive flow - no manual YAML editing required.
+
+Example structure (for reference):
+
+```yaml
+environments:
+  prod:
+    sso_url: https://sso.example.com
+    realm: Production
+    client_id: my-client-id  # optional, prompted if needed
+
+users:
+  prod:
+    user@example.com:
+      auth_type: password
+      email: user@example.com
+    api-client:
+      auth_type: client_credentials
+      client_id: api-client
+```
+
+Secrets (passwords and client secrets) are stored securely in the system keyring. Environments and users are automatically created on first use through an interactive setup flow. The tool supports optional client_id configuration per environment for Keycloak instances that require it.

sso_cli-1.0.0/sso_cli.egg-info/SOURCES.txt

@@ -0,0 +1,14 @@
+README.md
+pyproject.toml
+sso_cli/__init__.py
+sso_cli/auth.py
+sso_cli/cli.py
+sso_cli/config.py
+sso_cli/secrets.py
+sso_cli/utils.py
+sso_cli.egg-info/PKG-INFO
+sso_cli.egg-info/SOURCES.txt
+sso_cli.egg-info/dependency_links.txt
+sso_cli.egg-info/entry_points.txt
+sso_cli.egg-info/requires.txt
+sso_cli.egg-info/top_level.txt

sso_cli-1.0.0/sso_cli.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

sso_cli-1.0.0/sso_cli.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sso = sso_cli.cli:main

sso_cli-1.0.0/sso_cli.egg-info/requires.txt

@@ -0,0 +1,6 @@
+httpx>=0.24.0
+pyyaml>=6.0.0
+pyperclip>=1.8.2
+rich>=13.0.0
+inquirer>=3.0.0
+keyring>=24.0.0

sso_cli-1.0.0/sso_cli.egg-info/top_level.txt

@@ -0,0 +1 @@
+sso_cli