Undocumented default realm clients

[Alex]

Hello,

I tried to find this information in many places (github, documentation, etc) but I didn't succeed.

I used version 20.0.5 for this listing.

When we create a new realm, keycloak automatically creates new client in this one:

* account

* account-console

* admin-cli

* broker

* master-realm

* security-admin-console

It is unclear what the usage is. Is there any documentation that highlights the role of each client within Keycloak architecture? Should we keep all of them enabled?

I reviewed all of them and I have some questions:

* admin-cli is using direct access grant while it is now recommended not to use "Resource Owner Password Credentials Grant (source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-resource-owner-password-cre). Is there any explanation why Keycloak uses this flow for admin cli? Is there any plan to change that?

* broker has no flow but I see authentication through client id and client secret (but client secret is blank in the console). Is it expected? Is there any risk to keep the broker enabled?

I believe the documentation should be updated on the default configuration of a realm.

Thanks for your help and for the great work on Keycloak project.

Alexandre

[Thomas Darimont]

Hello Alexandre,

I'll try to give you a brief description of what every standard client in every realm does:

#account
This client represents the account-api (backend) and contains account related roles as an OIDC confidential client.

#account-console
This client represents the react (SPA) based account frontend as a OIDC public client.

#admin-cli
This client can be combined with kcadm.sh for managing a Keycloak realm. However, for automating realm provisioning, 

a custom client like "keycloak-config-cli" with client credentials as the only grant is often preferred to admin-cli.

#broker
This client can be used as the backend for an identity broker. However, it is recommended to create dedicated backends to connect 

with identity providers to have more control over allowed redirect URIs, scopes, and mappings.

# realm-management
This client represents the realm-management API backend and contains realm-management related roles. 

Note that this client does not exist in the master realm. See: Realm Management Clients.

# security-admin-console
This client represents the admin-ui scoped to that particular realm, and this means that if one uses the security-admin-console 

of a specific (non-master) realm, then only this realm can be managed via this client.

# Realm Management Clients
In the master realm, in addition to the clients mentioned above, you have special management clients for every realm 

within the Keycloak system. That means that if you have a realm named "acme", the master realm will contain a client called "acme-realm".
These management clients allow users in the master realm access to a subset of realms with realm-specific roles.

Cheers,
Thomas

[Alex]

Hi Thomas,

First, thanks for the answer: really comprehensive and detailed! It's appreciated.

In practice, I understand that, except for broker and admin-cli, all default clients should be kept enabled and their default configuration is secure enough.

* For admin-cli: it can be disabled if admin-cli is not used and in general, for automation, there are better solution than admin-cli.

* Broker: it can be disabled if we don't have external IDP. If we need external IDP, there are better solutions than using this default client. Would you have a link to explain "

However, it is recommended to create dedicated backends to connect with identity providers to have more control over allowed redirect URIs, scopes, and mappings."?