[keycloak-user] Per-client authorization

Hi all, I'm trying to restrict which OIDC clients users can login to based on roles or group membership. I can't believe this isn't something built-into Keycloak yet, but it seems that way. I had previously experimented with per-client Authorization settings, applying policies to Resources. I could have sworn this worked at some point, but it doesn't now. AIUI it seems to require the use of the Keycloak Gatekeeper or other Keycloak-specific code, so it's not going to work for most of my applications. As far as I can tell, the only way to make this work is using a custom authentication flow: https://stackoverflow.com/a/54384513/9531301 Is this indeed the only way to make this work? Is there a way of stopping such clients from being shown on the Account Management => Applications screen without globally removing the offline_access role for all users? Thanks, Chris -- Chris Boot bootc(a)boo.tc