Reputation: 654
Authenticating a User against a client in Keycloak
I have a Keycloak server setup with a realm and a client. I have Authorization setup on the client and I'm able to evaluate the authentication within the admin interface.
When I click "Show authorization data", I can see in the response an authorization attribute with permissions.
I have a web client that uses a redirect via keycloak for oidc authentication. I would like to limit which keyclock users are able to login into the client, so I would like to authorise the login, but I'm unable to see the authorization attribute in the JWT.
Am I completely misunderstanding how this works, or is there something I can do to see that attribute?
Upvotes: 0
Views: 681
Answers (1)
Reputation: 654
OK, I've finally go my head around it. Short answer - I needed to RTFM.
Long answer - I needed to hit the token endpoint twice. The first time with grant_type = authorization_code to get the access token. Then again with grant_type = urn:ietf:params:oauth:grant-type:uma-ticket (and with the access token in the header) to get the keycloak client to authenticate.
If the second response comes back as 403 - access_denied, then I reject the login, otherwise, I allow the user to login into my system.
The specific bit I needed can be found in the docs is here: https://www.keycloak.org/docs/6.0/authorization_services/#_service_obtaining_permissions
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
Upvotes: 1
Related Questions
- Login to Keycloak using API
- Allow client to retrieve users from keycloak
- Keycloak authentication: how can a external user get an token without exposing client secret
- Simplest way to get current user logged in Keycloak
- How to use confidential client in keycloak?
- Keycloack share same session between to client ID
- Custom Authentication using Keycloak
- Keycloak Client Credentials Flow Clarification
- Keycloak login with API
- Get client session id from Keycloak access token