[keycloak-user] Restrict access from web app client

[Pablo Fernandez]

Dear Keycloakers,

I am (almost) new to Keycloak and having trouble, and I thought I should
ask you after exhausting other options, so here I am.

What I would like to find is a way to confine certain web apps (with a
registered client in Keycloak) from accessing any other client that is
not supposed to. Specifically, I have an oidc client named 'keystone'
that handles all OpenStack authentication and another oidc client
'simplewebapp' that is a webapp that I want to give access to 'keystone'
while NOT giving access to any of the other clients (e.g. account,
admin-cli, broker, etc.)

Is there a way to do this?

I thought about Scopes, but I see they are basically linked to Roles
that I think have nothing to do with what I am doing (I tried, though
creating new roles but it seems to me they don't prevent anything from
happening). If I have to use Scopes, then how? Is there a Role that I
can use to deny - or exclusively grant - access to another client? I
also tried changing the Default Policy in 'keystone' Authorization tab
to something like this (the opposite of what I wanted to do, to make it
fail and see if I can use this mechanism), without success:

---
// by default, grants any permission associated with this policy
//$evaluation.grant();
var context = $evaluation.getContext();
var contextAttributes = context.getAttributes();
if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) {
    $evaluation.deny();
}
$evaluation.grant();
---

I googled and browsed and tried many different setting combinations
without success, so I hope someone here could give me a hint.

Thanks!
Pablo Fernandez