[keycloak-user] Default clients for a new realm

Stian Thorgersen sthorger at redhat.com
Wed Apr 13 00:44:55 EDT 2016


Nice summary and everything spot on!

On 12 April 2016 at 23:45, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello,
>
> from my understanding and from reading the docs & mailing lists I'd
> explain the clients as follows:
>
> /account
> web application with UI, currently embedded in keycloak itself, that
> serves as a self-service
> account management application where users can change information about
> ther user account,
> change passwords, have a look at their active sessions etc.
>
> You should leave this if you want your users to be able to manage their
> account themselves.
>
> /admin-cli
> "technical" client (no UI) that was introduced in 1.7 and is used for
> direct-grants with
> access-type "public" and has scope to realm-management (which implies some
> client roles like:
> realm-admin, management-realm, manage-users, etc.) similarly like the
> security-admin-console.
> This client can also be used for configuring the realm via the REST API or
> the Keycloak admin-client.
>
> You should leave this if you want to administer your realm via the REST
> API.
>
> /broker
> "technical" client (no UI) is used for standard flow and has scope to
> read-token, allows the user
> to access any stored external tokens (via the broker service).
>
> You should leave this if you want to do indentity brokering. (guessing
> here)
>
> /realm-management
> "technical" client (no UI), similar to admin-cli but uses access-type
> bearer-only,
> which means that instead of doing the oauth dance you need to pass
> the access_token via the Authorization: Bearer TOKEN HTTP request header.
>
> You should leave this if you want to administer your realm via the REST
> API.
>
> /security-admin-console
> web application with UI, currently embedded in keycloak itself,  which
> serves as the management console
> you are using to configure your realm via the browser.
>
> From keycloaks perspective the admin-console is also just an oauth client.
>
> You should leave this if you want to administer your realm via the admin
> console (which you probably do).
> --
>
> Perhaps it would help to populate description field with a brief summary
> for the "default" client definitions.
> Having those clients mentioned in the docs somewhere would be helpful as
> well.
>

This is the plan. We're also going to remove "broker" and
"realm-management", these are just used as a "container" for roles and will
be replaced with role namespaces.


>
> Cheers,
> Thomas
>
>
> 2016-04-12 23:03 GMT+02:00 Aikeaguinea <aikeaguinea at xsmail.com>:
>
>> When I create a new realm, I see that the following clients are
>> automatically created in that realm:
>>
>> account
>> admin-cl
>> broker
>> realm-management
>> security-admin-console
>>
>> It's hard for me to tell whether or not to delete these clients without
>> knowing what they're for, and I haven't successfully found documentation
>> on the subject. Might someone explain what these are about?
>>
>> --
>> http://www.fastmail.com - Accessible with your email software
>>                           or over the web
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/ca51f6ef/attachment-0001.html 


More information about the keycloak-user mailing list