I think in practice it makes sense. The bearer-only should not be shown in clients list as it's just about roles. The admin console should have redirect-uris for the admin console, but not have direct grant enabled. Finally the admin cli should only have direct grant enabled. That way they can be configured independently. As they are separate things and this is how we recommend others to organize their clients then we should do the same.

On 7 December 2015 at 16:36, Bill Burke <bburke@redhat.com> wrote:

Sorry, makes sense now after reading your exchange. In practice though, does it matter to have this split? Is it not better to consolidate into one client?

On 12/7/2015 3:48 AM, Marek Posolda wrote:

+1. That's what we have now and it's good pattern IMO.

Marek

On 07/12/15 09:38, Stian Thorgersen wrote:

Should we not have one client for the roles that represents the
services (bearer-only), then have a separate clients for admin GUI and
CLI?

On 7 December 2015 at 09:34, Marek Posolda <mposolda@redhat.com
<mailto:mposolda@redhat.com>> wrote:

On 03/12/15 20:06, Bill Burke wrote:
> * We can remove the realm-management client in each realm and
just merge
> the roles into security-admin-console.
Not sure about this one TBH. Also in 1.7 we introduced the "admin-cli"
client, which is used for direct-grants and has scope to
realm-management similarly like security-admin-console. The
security-admin-console is used for UI of admin console (javascript
client) when admin-cli is used for direct access to admin REST
endpoints
for example from admin-client.

Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com