Re: [keycloak-user] Restrict access to a client to a subset of Keycloak users

I can think of some workarounds. Like for example, create an Authenticator, which will be added to the bottom of the authentication flow. Authenticator will throw an exception in case that unpermitted user is trying to authenticate to the client corresponding to your openshift application. You have the user available (he is already authenticated) and you have also the client (can be determined based on clientId). Maybe even easier is to do that in custom RequiredActionProvider and do this check in "evaluateTriggers". This is workaround as it mixes authentication and authorization (among other issues). But hopefully it can suit your needs. Marek On 23/02/17 07:19, Shane Boulden wrote: > Hi everyone, > > I'm trying to figure out a fairly straight-forward problem set - > > - I have a number of users in a Keycloak database, federated from an > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users) > - I want to limit access to a client to only certain Keycloak users > > I thought this would be possible with a role that is shared by the client > and the user. However, it looks like Keycloak lets the application itself > determine access via a role: http://lists.jboss.org/ > pipermail/keycloak-user/2014-November/001205.html > > But what if I can't update the application's behaviour? Eg; if I want to > integrate Keycloak with OpenShift, and OpenShift doesn't consume any > information from the OIDC provider? > > In this particular example, I don't want to limit the users in the Keycloak > database - I want to sync all users from LDAP, but limit application access > to only a subset. > > Any assistance is greatly appreciated. > > Shane > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user