Re: [keycloak-user] OIDC / SAML client access restriction

On 20/09/2019 11:32, Steeve C wrote: > Hi, > > I'm looking for a way to restrict user access to a given OIDC (and / or > SAML) client for a given realm. I've tried to configure it using OIDC > "Authorization" feature by modifying the "Default policy" JS code to: > > ``` > $evaluation.deny(); > ``` > But without success, users are still able to connect to the client. > I've also tried to create a client role, but even if the user doesn't have > this role he can login to the application. > > Can you confirm me that it is possible to restrict user login access to > given user(s) / group(s) at the IdP level (keycloak) without modifying the > client (like without checking which role the user have)? > > If it's possible, then could you explain me which process should I use? > (it's not very clear to me at the moment). This is something I fought with a short while ago, and came up with this: https://lists.jboss.org/pipermail/keycloak-user/2019-August/018967.html -- Chris Boot bootc(a)boo.tc