Nice summary and everything spot on!
On 12 April 2016 at 23:45, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
Hello,
from my understanding and from reading the docs & mailing lists I'd
explain the clients as follows:
/account
web application with UI, currently embedded in keycloak itself, that
serves as a self-service
account management application where users can change information about
ther user account,
change passwords, have a look at their active sessions etc.
You should leave this if you want your users to be able to manage their
account themselves.
/admin-cli
"technical" client (no UI) that was introduced in 1.7 and is used for
direct-grants with
access-type "public" and has scope to realm-management (which implies some
client roles like:
realm-admin, management-realm, manage-users, etc.) similarly like the
security-admin-console.
This client can also be used for configuring the realm via the REST API or
the Keycloak admin-client.
You should leave this if you want to administer your realm via the REST
API.
/broker
"technical" client (no UI) is used for standard flow and has scope to
read-token, allows the user
to access any stored external tokens (via the broker service).
You should leave this if you want to do indentity brokering. (guessing
here)
/realm-management
"technical" client (no UI), similar to admin-cli but uses access-type
bearer-only,
which means that instead of doing the oauth dance you need to pass
the access_token via the Authorization: Bearer TOKEN HTTP request header.
You should leave this if you want to administer your realm via the REST
API.
/security-admin-console
web application with UI, currently embedded in keycloak itself, which
serves as the management console
you are using to configure your realm via the browser.
From keycloaks perspective the admin-console is also just an oauth client.
You should leave this if you want to administer your realm via the admin
console (which you probably do).
--
Perhaps it would help to populate description field with a brief summary
for the "default" client definitions.
Having those clients mentioned in the docs somewhere would be helpful as
well.
This is the plan. We're also going to remove "broker" and
"realm-management", these are just used as a "container" for roles and
will
be replaced with role namespaces.
Cheers,
Thomas
2016-04-12 23:03 GMT+02:00 Aikeaguinea <aikeaguinea(a)xsmail.com>:
> When I create a new realm, I see that the following clients are
> automatically created in that realm:
>
> account
> admin-cl
> broker
> realm-management
> security-admin-console
>
> It's hard for me to tell whether or not to delete these clients without
> knowing what they're for, and I haven't successfully found documentation
> on the subject. Might someone explain what these are about?
>
> --
>
http://www.fastmail.com - Accessible with your email software
> or over the web
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user