[keycloak-user] allow only specific group of users to be authenticated for a specific client

Jakub Fišer kuba at ufiseru.cz
Thu Nov 1 06:30:12 EDT 2018 

Hi,

I'm struggling with understanding of how authorization and permissions work in Keycloak.

Very simply put: in a single realm I have a number of Clients (also called Applications in the
Keycloak's user-facing account console). All Clients use OICD. I also have a number of Users. 

Clients are "dumb", i.e. they only consume the identity from Keycloak and have no authorization
mechanisms available. I want to have control over which subset of users can "use" specific Clients.
I want to authorize Users to use specific Clients (or authorize Clients to authenticate only
specific users) and I want all of this to be performed by Keycloak alone.

Example:

current state: two users ("uA" and "uB"), one Client ("cX"). Both users can see cX in their
respective application lists on their Keycloak account consoles (and the column "Granted
permissions" states "Full access") and both can authenticate (i.e. login) to the Client. Client
happily accepts both logins as it has no own authorization mechanism.

desired state: only user uA can login to cX, user uB cannot login to cX and does not see cX in his
application list, or at least does not have "Full access" in "Granted permissions". If user uB
tries to login to cX, the login fails somehow (graceful refusal would be nice but I'd be happy with
anything at the moment).

The best would be if I could control this through user groups, i.e. only users in group "gX" can
login to Client "cX".

I've been playing with roles, scopes, permissions, custom authentication scripts and I even tried
to superficially reverse engineer the difference between an admin user and a regular user, which is
the only case where I can see a difference in the Application list (i.e a regular user does not see
and cannot login to the "Security Admin Console" application) but have failed to achieve the
desired state or even approach it.

I know I'm probably thinking about this all wrong so I'd be happy even for a slight push into the
right direction.

thanks,

-jakub.

--
Jakub Fišer
Linux | DevOps | Security

More information about the keycloak-user mailing list