[keycloak-user] Per-client authorization
Chris Boot
lists at bootc.boo.tc
Tue Aug 20 07:29:53 EDT 2019
Hi all,
I'm trying to restrict which OIDC clients users can login to based on
roles or group membership. I can't believe this isn't something
built-into Keycloak yet, but it seems that way.
I had previously experimented with per-client Authorization settings,
applying policies to Resources. I could have sworn this worked at some
point, but it doesn't now. AIUI it seems to require the use of the
Keycloak Gatekeeper or other Keycloak-specific code, so it's not going
to work for most of my applications.
As far as I can tell, the only way to make this work is using a custom
authentication flow: https://stackoverflow.com/a/54384513/9531301
Is this indeed the only way to make this work?
Is there a way of stopping such clients from being shown on the Account
Management => Applications screen without globally removing the
offline_access role for all users?
Thanks,
Chris
--
Chris Boot
bootc at boo.tc
More information about the keycloak-user
mailing list