<div dir="ltr">Nice summary and everything spot on!<br><div class="gmail_extra"><br><div class="gmail_quote">On 12 April 2016 at 23:45, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div>from my understanding and from reading the docs & mailing lists I'd explain the clients as follows:</div><div><br></div><div>/account</div><div>web application with UI, currently embedded in keycloak itself, that serves as a self-service </div><div>account management application where users can change information about ther user account, </div><div>change passwords, have a look at their active sessions etc.</div><div><br></div><div>You should leave this if you want your users to be able to manage their account themselves.</div><div><br></div><div>/admin-cli</div><div>"technical" client (no UI) that was introduced in 1.7 and is used for direct-grants with </div><div>access-type "public" and has scope to realm-management (which implies some client roles like: </div><div>realm-admin, management-realm, manage-users, etc.) similarly like the security-admin-console. </div><div>This client can also be used for configuring the realm via the REST API or the Keycloak admin-client.</div><div><br></div><div>You should leave this if you want to administer your realm via the REST API.</div><div><br></div><div>/broker</div><div>"technical" client (no UI) is used for standard flow and has scope to read-token, allows the user </div><div>to access any stored external tokens (via the broker service).</div><div><br></div><div>You should leave this if you want to do indentity brokering. (guessing here)<br></div><div><br></div><div>/realm-management</div><div>"technical" client (no UI), similar to admin-cli but uses access-type bearer-only,</div><div>which means that instead of doing the oauth dance you need to pass</div><div>the access_token via the Authorization: Bearer TOKEN HTTP request header.</div><div><br></div><div>You should leave this if you want to administer your realm via the REST API.<br></div><div><br></div><div>/security-admin-console</div><div>web application with UI, currently embedded in keycloak itself, which serves as the management console </div><div>you are using to configure your realm via the browser.</div><div><br></div><div>From keycloaks perspective the admin-console is also just an oauth client.</div><div><br></div><div>You should leave this if you want to administer your realm via the admin console (which you probably do).</div><div>--</div><div><br></div><div>Perhaps it would help to populate description field with a brief summary for the "default" client definitions.<br></div><div>Having those clients mentioned in the docs somewhere would be helpful as well.</div></div></blockquote><div><br></div><div>This is the plan. We're also going to remove "broker" and "realm-management", these are just used as a "container" for roles and will be replaced with role namespaces.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Cheers,</div><div>Thomas</div><div><div class="h5"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-12 23:03 GMT+02:00 Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">When I create a new realm, I see that the following clients are<br>
automatically created in that realm:<br>
<br>
account<br>
admin-cl<br>
broker<br>
realm-management<br>
security-admin-console<br>
<br>
It's hard for me to tell whether or not to delete these clients without<br>
knowing what they're for, and I haven't successfully found documentation<br>
on the subject. Might someone explain what these are about?<br>
<span><font color="#888888"><br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Accessible with your email software<br>
or over the web<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div></div>