[keycloak-user] Default clients for a new realm

Thomas Darimont thomas.darimont at googlemail.com
Tue Apr 12 17:45:50 EDT 2016


Hello,

from my understanding and from reading the docs & mailing lists I'd explain
the clients as follows:

/account
web application with UI, currently embedded in keycloak itself, that serves
as a self-service
account management application where users can change information about
ther user account,
change passwords, have a look at their active sessions etc.

You should leave this if you want your users to be able to manage their
account themselves.

/admin-cli
"technical" client (no UI) that was introduced in 1.7 and is used for
direct-grants with
access-type "public" and has scope to realm-management (which implies some
client roles like:
realm-admin, management-realm, manage-users, etc.) similarly like the
security-admin-console.
This client can also be used for configuring the realm via the REST API or
the Keycloak admin-client.

You should leave this if you want to administer your realm via the REST API.

/broker
"technical" client (no UI) is used for standard flow and has scope to
read-token, allows the user
to access any stored external tokens (via the broker service).

You should leave this if you want to do indentity brokering. (guessing here)

/realm-management
"technical" client (no UI), similar to admin-cli but uses access-type
bearer-only,
which means that instead of doing the oauth dance you need to pass
the access_token via the Authorization: Bearer TOKEN HTTP request header.

You should leave this if you want to administer your realm via the REST API.

/security-admin-console
web application with UI, currently embedded in keycloak itself,  which
serves as the management console
you are using to configure your realm via the browser.

>From keycloaks perspective the admin-console is also just an oauth client.

You should leave this if you want to administer your realm via the admin
console (which you probably do).
--

Perhaps it would help to populate description field with a brief summary
for the "default" client definitions.
Having those clients mentioned in the docs somewhere would be helpful as
well.

Cheers,
Thomas


2016-04-12 23:03 GMT+02:00 Aikeaguinea <aikeaguinea at xsmail.com>:

> When I create a new realm, I see that the following clients are
> automatically created in that realm:
>
> account
> admin-cl
> broker
> realm-management
> security-admin-console
>
> It's hard for me to tell whether or not to delete these clients without
> knowing what they're for, and I haven't successfully found documentation
> on the subject. Might someone explain what these are about?
>
> --
> http://www.fastmail.com - Accessible with your email software
>                           or over the web
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/caa4ee6b/attachment.html 


More information about the keycloak-user mailing list