[keycloak-user] Restrict access to clients based on Group membership
Dmitry Telegin
dt at acutus.pro
Mon Nov 12 01:24:49 EST 2018
Hello Prashant,
Your case seems very similar to this one (please read the whole thread):
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016092.html
In your case, however, there is no literal correspondence between client names and group names, so you can't infer one from another. But you can make use of group attributes and place the name(s) of allowed clients there. The rest of the implementation remains roughly the same.
If you don't want to use script authenticator (this has limitations), you can simply map groups to roles in your JWT tokens and then configure client adapters to restrict access to the given role only.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Thu, 2018-11-08 at 09:04 +0000, Prashant Bapat wrote:
> Hi,
>
> In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great.
>
> Is there a way to restrict access to a OIDC client based on a group membership ? I’ve been reading up the docs and trying to get this working without success.
>
> For example, let’s say we have 2 clients;
> client-dev-api
> client-prod-api
> Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group “Developers” and client-prod-api to members AD group “Production” ?
>
> Any guidance on getting this to work would be appreciated.
>
> Thanks.
> --Prashant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list