[keycloak-user] Granting client access to just certain users

[Rashiq]

Dear all,

we're struggling a bit with understanding how Keycloak's Client Authorization 
works and setting up a Client Authorization.

What we would like to achieve for now is to be able to let only certain users 
with Keycloak accounts to access certain clients.

Let's say we have a client called `files.example.org`, a simple, read-only 
file hosting. And that we have 2 users in our Keycloak, `eligible at example.org` 
and `not.eligible at example.org`.

We would like to configure Keycloak to *deny* the latter user 
(`not.eligible at example.org`) access to *any and all* resources on 
`files.example.org`. This preferably would happen based on client roles, if 
possible.

The `files.example.org` resource server uses a Lua-based OAuth2 proxy to 
authenticate requests against Keycloak. So, the question is: is it possible to 
tell Keycloak *not* to let `not.eligible at example.org` log-in to 
`files.example.org` *at all*? As in, "this user does not have access to this 
client"? Or, better yet, "users with/without certain client roles do not have 
access to these clients"?

Or will we have to make the Lua-based proxy in front of it check claims in 
tokens received from Keycloak?

We appreciate your help!

-- 
Pozdravi,
rashiq