I am trying to configure an authentication flow that restricts login to a particular group but initially when I overrode the public client authentication flow, we got this error which indicates the user object was null. Initially script did a user.hasRole, but now does isMember. I only had the script as part of the new flow. 09:51:07,319 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-15316) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'restrict-public-db-admin' problem was: TypeError: null has no such function "hasRole" in <eval> at line number 31 I then added in these flows which now authenticate me, but the script doesn't even execute now and always gives me a token. Cookie - Alternative Identity Provider Redirector - Alternative Username Password Form - Required Script - Required I setup the following New role: db-admin. No users have been assigned to this role New group: db-admin. Assigned db-admin role I am a member of the group db-admin New authentication flow: restricted-public Script: restrict-public-db-admin which only passes authentication when user is a member of the group db-admin New public client: restricted-public. Authentication Flow Overrides set to restricted-public authentication flow We have confirmed that -Dkeycloak.profile.feature.scripts is enabled, as per https://www.keycloak.org/docs/7.0/server_admin/#executions We followed this example https://stackoverflow.com/a/54384513 Are we implementing/using the authorisation flow override incorrectly? How do I restrict a client to users in a group only? Thanks