Dear all,
we're struggling a bit with understanding how Keycloak's Client Authorization
works and setting up a Client Authorization.
What we would like to achieve for now is to be able to let only certain users
with Keycloak accounts to access certain clients.
Let's say we have a client called `files.example.org`, a simple, read-only
file hosting. And that we have 2 users in our Keycloak, `eligible(a)example.org`
and `not.eligible(a)example.org`.
We would like to configure Keycloak to *deny* the latter user
(`not.eligible(a)example.org`) access to *any and all* resources on
`files.example.org`. This preferably would happen based on client roles, if
possible.
The `files.example.org` resource server uses a Lua-based OAuth2 proxy to
authenticate requests against Keycloak. So, the question is: is it possible to
tell Keycloak *not* to let `not.eligible(a)example.org` log-in to
`files.example.org` *at all*? As in, "this user does not have access to this
client"? Or, better yet, "users with/without certain client roles do not have
access to these clients"?
Or will we have to make the Lua-based proxy in front of it check claims in
tokens received from Keycloak?
We appreciate your help!
--
Pozdravi,
rashiq
Show replies by date