[keycloak-user] Restrict access to a client to a subset of Keycloak users

Shane Boulden shane.boulden at gmail.com
Thu Feb 23 01:19:18 EST 2017


Hi everyone,

I'm trying to figure out a fairly straight-forward problem set -

   - I have a number of users in a Keycloak database, federated from an
   LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users)
   - I want to limit access to a client to only certain Keycloak users

I thought this would be possible with a role that is shared by the client
and the user. However, it looks like Keycloak lets the application itself
determine access via a role: http://lists.jboss.org/
pipermail/keycloak-user/2014-November/001205.html

But what if I can't update the application's behaviour? Eg; if I want to
integrate Keycloak with OpenShift, and OpenShift doesn't consume any
information from the OIDC provider?

In this particular example, I don't want to limit the users in the Keycloak
database - I want to sync all users from LDAP, but limit application access
to only a subset.

Any assistance is greatly appreciated.

Shane


More information about the keycloak-user mailing list