hi, in keycloak, i have defined an active directory for 'user federation'. i have also define a client application (OpenID connect). by default, all user (in the AD) can login the client. now i want to restrict only certain user (e.g. by AD group, by AD attribute value) can login the client ( i have tried the 'authorization' feature, but it seems still allowing non-valid user to login the client [a JWT token issued]). i have a search and find this post: https://stackoverflow.com/questions/54305880/how-can-i-restrict-client-ac... Which mention 2 methods: - by coding a custom AD authenticator . - by 'authorization' (failed for me...user still able to login and JWT token issued) can you please share your way to achieve this?