[keycloak-user] Restrict access to a client to a subset of Keycloak users

[Marek Posolda]

I can think of some workarounds. Like for example, create an 
Authenticator, which will be added to the bottom of the authentication 
flow. Authenticator will throw an exception in case that unpermitted 
user is trying to authenticate to the client corresponding to your 
openshift application. You have the user available (he is already 
authenticated) and you have also the client (can be determined based on 
clientId).

Maybe even easier is to do that in custom RequiredActionProvider and do 
this check in "evaluateTriggers".

This is workaround as it mixes authentication and authorization (among 
other issues). But hopefully it can suit your needs.

Marek

On 23/02/17 07:19, Shane Boulden wrote:
> Hi everyone,
>
> I'm trying to figure out a fairly straight-forward problem set -
>
>     - I have a number of users in a Keycloak database, federated from an
>     LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users)
>     - I want to limit access to a client to only certain Keycloak users
>
> I thought this would be possible with a role that is shared by the client
> and the user. However, it looks like Keycloak lets the application itself
> determine access via a role: http://lists.jboss.org/
> pipermail/keycloak-user/2014-November/001205.html
>
> But what if I can't update the application's behaviour? Eg; if I want to
> integrate Keycloak with OpenShift, and OpenShift doesn't consume any
> information from the OIDC provider?
>
> In this particular example, I don't want to limit the users in the Keycloak
> database - I want to sync all users from LDAP, but limit application access
> to only a subset.
>
> Any assistance is greatly appreciated.
>
> Shane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user