Hello Prashant,
Your case seems very similar to this one (please read the whole thread):
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016092.html
In your case, however, there is no literal correspondence between client names and group
names, so you can't infer one from another. But you can make use of group attributes
and place the name(s) of allowed clients there. The rest of the implementation remains
roughly the same.
If you don't want to use script authenticator (this has limitations), you can simply
map groups to roles in your JWT tokens and then configure client adapters to restrict
access to the given role only.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-11-08 at 09:04 +0000, Prashant Bapat wrote:
Hi,
In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users
in a Windows AD. We heavily use SAML and OIDC and both work great.
Is there a way to restrict access to a OIDC client based on a group membership ? I’ve
been reading up the docs and trying to get this working without success.
For example, let’s say we have 2 clients;
client-dev-api
client-prod-api
Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group
“Developers” and client-prod-api to members AD group “Production” ?
Any guidance on getting this to work would be appreciated.
Thanks.
--Prashant
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user