[keycloak-user] OIDC / SAML client access restriction
Chris Boot
lists at bootc.boo.tc
Mon Sep 23 15:39:06 EDT 2019
On 20/09/2019 11:32, Steeve C wrote:
> Hi,
>
> I'm looking for a way to restrict user access to a given OIDC (and / or
> SAML) client for a given realm. I've tried to configure it using OIDC
> "Authorization" feature by modifying the "Default policy" JS code to:
>
> ```
> $evaluation.deny();
> ```
> But without success, users are still able to connect to the client.
> I've also tried to create a client role, but even if the user doesn't have
> this role he can login to the application.
>
> Can you confirm me that it is possible to restrict user login access to
> given user(s) / group(s) at the IdP level (keycloak) without modifying the
> client (like without checking which role the user have)?
>
> If it's possible, then could you explain me which process should I use?
> (it's not very clear to me at the moment).
This is something I fought with a short while ago, and came up with this:
https://lists.jboss.org/pipermail/keycloak-user/2019-August/018967.html
--
Chris Boot
bootc at boo.tc
More information about the keycloak-user
mailing list