Nice summary and everything spot on!

On 12 April 2016 at 23:45, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
Hello,

from my understanding and from reading the docs & mailing lists I'd explain the clients as follows:

/account
web application with UI, currently embedded in keycloak itself, that serves as a self-service 
account management application where users can change information about ther user account, 
change passwords, have a look at their active sessions etc.

You should leave this if you want your users to be able to manage their account themselves.

/admin-cli
"technical" client (no UI) that was introduced in 1.7 and is used for direct-grants with 
access-type "public" and has scope to realm-management (which implies some client roles like: 
realm-admin, management-realm, manage-users, etc.) similarly like the security-admin-console. 
This client can also be used for configuring the realm via the REST API or the Keycloak admin-client.

You should leave this if you want to administer your realm via the REST API.

/broker
"technical" client (no UI) is used for standard flow and has scope to read-token, allows the user 
to access any stored external tokens (via the broker service).

You should leave this if you want to do indentity brokering. (guessing here)

/realm-management
"technical" client (no UI), similar to admin-cli but uses access-type bearer-only,
which means that instead of doing the oauth dance you need to pass
the access_token via the Authorization: Bearer TOKEN HTTP request header.

You should leave this if you want to administer your realm via the REST API.

/security-admin-console
web application with UI, currently embedded in keycloak itself,  which serves as the management console 
you are using to configure your realm via the browser.

From keycloaks perspective the admin-console is also just an oauth client.

You should leave this if you want to administer your realm via the admin console (which you probably do).
--

Perhaps it would help to populate description field with a brief summary for the "default" client definitions.
Having those clients mentioned in the docs somewhere would be helpful as well.

This is the plan. We're also going to remove "broker" and "realm-management", these are just used as a "container" for roles and will be replaced with role namespaces.
 

Cheers,
Thomas


2016-04-12 23:03 GMT+02:00 Aikeaguinea <aikeaguinea@xsmail.com>:
When I create a new realm, I see that the following clients are
automatically created in that realm:

account
admin-cl
broker
realm-management
security-admin-console

It's hard for me to tell whether or not to delete these clients without
knowing what they're for, and I haven't successfully found documentation
on the subject. Might someone explain what these are about?

--
http://www.fastmail.com - Accessible with your email software
                          or over the web

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user