[keycloak-dev] limiting users to access specific clients only

sabir sss2174 at columbia.edu
Tue Dec 1 01:47:47 EST 2015 

I am building keycloak prototype apps that demonstrate authentication
against deployed keycloak server. I have 2 js client apps under the same
web-server with 2 different keycloak client JSON.

I have:

- Created realm ->  poc-realm
- Created clients for poc apps to authenticate against -> app1 and app2
- Created roles in
       app1 -> app1-user-role
       app2 -> app2-user-role
- Created users -> app1-user and app2-user
- Assigned roles -> app1-user-role to app1-user, app2-user-role to app2-user

When I try to get redirected keycloak login for app1, I am able to login
with app1-user and app2-user, and similarly I am able to login into app2
with app1-user and app2-user.

Am I missing something? How do I ensure that app1-user isn't able to log
into app2, and app2-user into app1?

Although note that I have the same url patterns for *Valid Redirect URIs *of
both clients.

My JSON keycloak clients are correct:

{
  "realm": "poc-realm",
  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryTAZE2+d/7uKduayhQlInhnD43jdPyBttVbERLXO7wN9juXIuO5SR5P75aIcy1Fpf5VTrL2Neb4iLeEGgTUHM7b0ycjNgK40CXcwhneSn0EIogDLqXfJ87efwH2UYG//3cWZsB9PjX440Yq4uh/pBs5aTw7hHhvlaF/LRTBibhpcy7N/cKPp2PRkhQbWX79EfIsFLg8IKDryazYkdsVoaVI20aeOyb9mfXSU+h7ZUZIKhY4hhtSK004ToD73HQvJ5U61Zv7UAEtKHOD928SO0/VijFkGCh7fHtOA4kNJhV6D7RehThz/llDE3rfs4wkO24L0j/hAss30OSQNnAD1QIDAQAB",
  "auth-server-url": "[server URL]/auth",
  "ssl-required": "external",
  "resource": "app1",
  "credentials": {
    "secret": "e119ccf7-5c5a-4681-b4fa-fcca1b3de3b3"
  },
  "use-resource-role-mappings": true
}

and

{
  "realm": "poc-realm",
  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryTAZE2+d/7uKduayhQlInhnD43jdPyBttVbERLXO7wN9juXIuO5SR5P75aIcy1Fpf5VTrL2Neb4iLeEGgTUHM7b0ycjNgK40CXcwhneSn0EIogDLqXfJ87efwH2UYG//3cWZsB9PjX440Yq4uh/pBs5aTw7hHhvlaF/LRTBibhpcy7N/cKPp2PRkhQbWX79EfIsFLg8IKDryazYkdsVoaVI20aeOyb9mfXSU+h7ZUZIKhY4hhtSK004ToD73HQvJ5U61Zv7UAEtKHOD928SO0/VijFkGCh7fHtOA4kNJhV6D7RehThz/llDE3rfs4wkO24L0j/hAss30OSQNnAD1QIDAQAB",
  "auth-server-url": "[server URL]/auth",
  "ssl-required": "external",
  "resource": "app2",
  "credentials": {
    "secret": "e119ccf7-5c5a-4681-b4fa-fcca1b3de3b3"
  },
  "use-resource-role-mappings": true
}


Thanks for help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151201/e49daa8e/attachment.html

More information about the keycloak-dev mailing list