diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index 6ea351aa5e..15648c8b58 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -279,8 +279,10 @@ public class RealmManager {
         if (application == null) {
             application = new ApplicationManager(this).createApplication(realm, Constants.ACCOUNT_MANAGEMENT_APP);
             application.setEnabled(true);
-            String redirectUri = contextPath + "/realms/" + realm.getName() + "/account/*";
+            String base = contextPath + "/realms/" + realm.getName() + "/account";
+            String redirectUri = base + "/*";
             application.addRedirectUri(redirectUri);
+            application.setBaseUrl(base);
 
             for (String role : AccountRoles.ALL) {
                 application.addDefaultRole(role);
diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index 9b47de5002..1d922346d3 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -18,6 +18,7 @@ import org.keycloak.authentication.AuthenticationProviderException;
 import org.keycloak.authentication.AuthenticationProviderManager;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.crypto.RSAProvider;
+import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
@@ -221,10 +222,9 @@ public class TokenService {
 
         ClientModel client = authorizeClient(authorizationHeader, form, audit);
 
-        if (client.isPublicClient()) {
-            // we don't allow public clients to invoke grants/access to prevent phishing attacks
+        if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
             audit.error(Errors.NOT_ALLOWED);
-            throw new ForbiddenException("Public clients are not allowed to invoke grants/access");
+            throw new ForbiddenException("Bearer-only applications are not allowed to invoke grants/access");
         }
 
         if (!realm.isEnabled()) {
@@ -745,6 +745,10 @@ public class TokenService {
             audit.error(Errors.CLIENT_DISABLED);
             return oauth.forwardToSecurityFailure("Login requester not enabled.");
         }
+        if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
+            audit.error(Errors.NOT_ALLOWED);
+            return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate login");
+        }
         redirect = verifyRedirectUri(uriInfo, redirect, client);
         if (redirect == null) {
             audit.error(Errors.INVALID_REDIRECT_URI);