When I create an openid client, I have these questions in my head :

1. is it public or confidential
2. if it is confidential, should I allow this client to obtain a token for himself
3. If it is confidential, does the client have its own login screen
4. is this client a "Device" (meaning without easy way to input login/password)
5. is is it a legacy oauth2 implementation

At the moment, all these options are possible through the GUI but you have to "think twice" (or actually, more than twice 😄 )

1. "Client authentication" on/off means confidential/public
2. "Service account roles" on means client ok to have a token for himself
3. If you knwo direct acces grant, then it's ok (but "insecure" is not explained)
4. if you know what is "OAuth 2.0 Device Authorization Grant", then it's ok
5. Again, if you know "Implicit flow", then it's ok (but "insecure" is not explained)

My suggestions would be to change the "Capablity config" screen when openid has been selected in step 1 (there is a LOT of "empty space" on this screen that can be used to immediately display the hints for ex)

Another suggestion is to disable "direct access grant" by default now that OAuth 2.0 is widespread

Here is a (very bad) approximation of what I have in mind for this screen

Client authentication

Public |SWITCH| Confidential (default to public)

Choose public when your client is a client-side application like a browser or a mobile application that is not able to protect a secret

Choose confidential when your client is a server-side application that is able to protect a secret

Service account (only enabled/visible when confidential is selected)

Off | SWITCH| On (default to on)

Enable service account if the confidential client is going to use a token for himself, meaning it will call resources without a user being logged in

Custom login screen (direct access grant)

Off | SWITCH| On (default to off)

Enable custom login screen (aka "Direct access grant") if the client has access to login/password of users. This is not recommended for security reasons as the user should always login directly to keycloak in order to be sure the credentials are not stolen by a third party application. For more details, look at "OAuth 2.0 Resource Owner Password Credentials Grant"

Hardware device

Off | SWITCH| On (default to off)

Enable hardware device if the client lacks suitable browser or has limited input capabilities, for example an IoT device, a TV, ... Instead of asking login/password, it will ask to login from another device (like a smartphone) and to input a simple code on the device. For more details, look at "OAuth 2.0 Device Authorization Grant"

Legacy OAtuh2

Off | CHECKBOX| Legacy + Standard |CHECKBOX| Only legacy |CHECKBOX| (default to off)

Enable legacy OAuth2 (aka OAuth 2.0 "Implicit flow") if the client is not compatible with the "Standard flow" that is more secure.