[keycloak-user] Block login attempt from specific role

Marek Posolda mposolda at redhat.com
Thu Aug 9 04:46:01 EDT 2018


It's not allowed OOTB. Maybe it is possible with Script authenticator, 
but not 100% sure.

But TBH I wouldn't use the approach like that to reject it even at login 
side. As role mappings is typically not about authentication, but about 
authorization. So the more correct approach is to let the authentication 
to finish and then, once user is redirected back to the application, let 
the error to be displayed here (Some page with the "Forbidden" message 
and 403 error). User will be then authenticated, so in case that he 
access R1, he will be authenticated automatically due the SSO and won't 
need to reauthenticate.

Marek


On 09/08/18 10:36, Andreas Kull wrote:
>   I have one realm which contains two clients A1, A2 and two roles R1, R2.
>
> R1 can access A1 and A2
> R2 should only be able to access A2
>
> Is it possible way to disallow the login of R2 in A1 directly on the
> Keycloak login page?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list