Look at the "scope" tab for particular client in admin console. You need to uncheck "Full scope allowed" and then select requested scopes. The resulting roles in the token are the intersection of user's roles + client's scoped roles.

Marek

On 13/09/16 08:48, Andy Yar wrote:

Hello,

I'm wondering, is there a way how to restrict certain clients in a realm for a given user?

Of course, I can map roles to user and check them in each application. However, it seems like it might be easier to perform directly on Keycloak side.

What is the correct way how to achieve that?

Thanks in advance.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user