[keycloak-user] Granting client access to just certain users

Dear all, we're struggling a bit with understanding how Keycloak's Client Authorization works and setting up a Client Authorization. What we would like to achieve for now is to be able to let only certain users with Keycloak accounts to access certain clients. Let's say we have a client called `files.example.org`, a simple, read-only file hosting. And that we have 2 users in our Keycloak, `eligible(a)example.org` and `not.eligible(a)example.org`. We would like to configure Keycloak to *deny* the latter user (`not.eligible(a)example.org`) access to *any and all* resources on `files.example.org`. This preferably would happen based on client roles, if possible. The `files.example.org` resource server uses a Lua-based OAuth2 proxy to authenticate requests against Keycloak. So, the question is: is it possible to tell Keycloak *not* to let `not.eligible(a)example.org` log-in to `files.example.org` *at all*? As in, "this user does not have access to this client"? Or, better yet, "users with/without certain client roles do not have access to these clients"? Or will we have to make the Lua-based proxy in front of it check claims in tokens received from Keycloak? We appreciate your help! -- Pozdravi, rashiq