[keycloak-user] Default clients for a new realm
Aikeaguinea
aikeaguinea at xsmail.com
Tue Apr 12 19:32:27 EDT 2016
Thank you very much for this; it's very helpful.
On Tue, Apr 12, 2016, at 05:45 PM, Thomas Darimont wrote:
> Hello,
>
> from my understanding and from reading the docs & mailing lists I'd
> explain the clients as follows:
>
> /account
> web application with UI, currently embedded in keycloak itself, that
> serves as a self-service
> account management application where users can change information
> about ther user account,
> change passwords, have a look at their active sessions etc.
>
> You should leave this if you want your users to be able to manage
> their account themselves.
>
> /admin-cli
> "technical" client (no UI) that was introduced in 1.7 and is used for
> direct-grants with
> access-type "public" and has scope to realm-management (which implies
> some client roles like:
> realm-admin, management-realm, manage-users, etc.) similarly like the
> security-admin-console.
> This client can also be used for configuring the realm via the REST
> API or the Keycloak admin-client.
>
> You should leave this if you want to administer your realm via the
> REST API.
>
> /broker
> "technical" client (no UI) is used for standard flow and has scope to
> read-token, allows the user
> to access any stored external tokens (via the broker service).
>
> You should leave this if you want to do indentity brokering.
> (guessing here)
>
> /realm-management
> "technical" client (no UI), similar to admin-cli but uses access-type
> bearer-only,
> which means that instead of doing the oauth dance you need to pass
> the access_token via the Authorization: Bearer TOKEN HTTP
> request header.
>
> You should leave this if you want to administer your realm via the
> REST API.
>
> /security-admin-console
> web application with UI, currently embedded in keycloak itself, which
> serves as the management console
> you are using to configure your realm via the browser.
>
> From keycloaks perspective the admin-console is also just an
> oauth client.
>
> You should leave this if you want to administer your realm via the
> admin console (which you probably do).
> --
>
> Perhaps it would help to populate description field with a brief
> summary for the "default" client definitions.
> Having those clients mentioned in the docs somewhere would be helpful
> as well.
>
> Cheers,
> Thomas
>
>
> 2016-04-12 23:03 GMT+02:00 Aikeaguinea <aikeaguinea at xsmail.com>:
>> When I create a new realm, I see that the following clients are
>> automatically created in that realm:
>>
>> account
>> admin-cl
>> broker
>> realm-management
>> security-admin-console
>>
>> It's hard for me to tell whether or not to delete these clients
>> without
>> knowing what they're for, and I haven't successfully found
>> documentation
>> on the subject. Might someone explain what these are about?
>>
>> --
>> http://www.fastmail.com - Accessible with your email software or over
>> the web
>>
>> _______________________________________________
>> keycloak-user mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Aikeaguinea
aikeaguinea at xsmail.com
--
http://www.fastmail.com - Same, same, but different...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/ff11e14a/attachment.html
More information about the keycloak-user
mailing list