5:32 a.m.
Hi,
I'm looking for a way to restrict user access to a given OIDC (and / or
SAML) client for a given realm. I've tried to configure it using OIDC
"Authorization" feature by modifying the "Default policy" JS code to:
```
$evaluation.deny();
```
But without success, users are still able to connect to the client.
I've also tried to create a client role, but even if the user doesn't have
this role he can login to the application.
Can you confirm me that it is possible to restrict user login access to
given user(s) / group(s) at the IdP level (keycloak) without modifying the
client (like without checking which role the user have)?
If it's possible, then could you explain me which process should I use?
(it's not very clear to me at the moment).
Thanks,
Steeve
2:39 p.m.
On 20/09/2019 11:32, Steeve C wrote:
Hi,
I'm looking for a way to restrict user access to a given OIDC (and / or
SAML) client for a given realm. I've tried to configure it using OIDC
"Authorization" feature by modifying the "Default policy" JS code
to:
```
$evaluation.deny();
```
But without success, users are still able to connect to the client.
I've also tried to create a client role, but even if the user doesn't have
this role he can login to the application.
Can you confirm me that it is possible to restrict user login access to
given user(s) / group(s) at the IdP level (keycloak) without modifying the
client (like without checking which role the user have)?
If it's possible, then could you explain me which process should I use?
(it's not very clear to me at the moment).
This is something I fought with a short while ago, and came up with this:
https://lists.jboss.org/pipermail/keycloak-user/2019-August/018967.html
--
Chris Boot
bootc(a)boo.tc
9:20 a.m.
Thanks! That's exactly what I was looking for.
Steeve
Le lun. 23 sept. 2019 à 21:39, Chris Boot <lists(a)bootc.boo.tc> a écrit :
On 20/09/2019 11:32, Steeve C wrote:
> Hi,
>
> I'm looking for a way to restrict user access to a given OIDC (and / or
> SAML) client for a given realm. I've tried to configure it using OIDC
> "Authorization" feature by modifying the "Default policy" JS
code to:
>
> ```
> $evaluation.deny();
> ```
> But without success, users are still able to connect to the client.
> I've also tried to create a client role, but even if the user doesn't
have
> this role he can login to the application.
>
> Can you confirm me that it is possible to restrict user login access to
> given user(s) / group(s) at the IdP level (keycloak) without modifying
the
> client (like without checking which role the user have)?
>
> If it's possible, then could you explain me which process should I use?
> (it's not very clear to me at the moment).
This is something I fought with a short while ago, and came up with this:
https://lists.jboss.org/pipermail/keycloak-user/2019-August/018967.html
--
Chris Boot
bootc(a)boo.tc
1931
days inactive
1937
days old
2 comments
2 participants
participants (2)
-
Chris Boot -
Steeve C