[keycloak-user] Block login attempt from specific role
Marek Posolda
mposolda at redhat.com
Thu Aug 9 04:46:01 EDT 2018
It's not allowed OOTB. Maybe it is possible with Script authenticator,
but not 100% sure.
But TBH I wouldn't use the approach like that to reject it even at login
side. As role mappings is typically not about authentication, but about
authorization. So the more correct approach is to let the authentication
to finish and then, once user is redirected back to the application, let
the error to be displayed here (Some page with the "Forbidden" message
and 403 error). User will be then authenticated, so in case that he
access R1, he will be authenticated automatically due the SSO and won't
need to reauthenticate.
Marek
On 09/08/18 10:36, Andreas Kull wrote:
> I have one realm which contains two clients A1, A2 and two roles R1, R2.
>
> R1 can access A1 and A2
> R2 should only be able to access A2
>
> Is it possible way to disallow the login of R2 in A1 directly on the
> Keycloak login page?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list