Reputation: 560
Keycloak - Limit client access to some users in the same realm
I'm new to authentication concepts and maybe there are some things I got wrong but I need some help on keycloak administration.
I installed keycloak on a server, created a realm, a client and a user. The client uses openid-connect with confidential access type. I manage to connect my PHP application by using CURL to query the keycloak server and display the login form, I get the code and then the access token, everything is fine on this part.
What I want to do now is configure a few clients in my realm cause I have several apps I want to secure with keycloak authentication but I do not want all the users to access all the clients and ultimately I want to setup some roles for each user that my apps will retrieve. I navigated through the documentation and the keycloak admin interface but I do not manage to get that to work. It seems like something pretty basic to do but I honestly don't understand how to achieve it... Did anyone solve this kind of issue and could help me please?
Upvotes: 2
Views: 2803
Answers (1)
Reputation: 9
Understanding Authorisation in keycloak is a little more nuanced. KeyCloak is not designed to handle the restricting of applications as per say. It does authentication and authorisation, but it is for the application to enforce it.
As my understanding goes, KeyCloak will hand-off the details to the application in the token it supplies, and it is for the application to read and interpret those.
In essence, if you look at access token, when the user is not assigned any authorisation policies, etc... they are not present in the token. Meaning the application should read that and only provide access to the relevant authorisations provided in the token. But what keycloak does not do, and so far I do not believe this is a feature within it, is block users from trying to access the application.
Keycloak allows developers to not have to design their own proprietary authentication and authorisation, instead they can harness keycloak's features to develop their application using industry auth standards.
Upvotes: 0
Related Questions
- Authenticating a User against a client in Keycloak
- Keycloak impersonation only for certain users
- Allow client to retrieve users from keycloak
- How can I restrict client access to only one group of users in keycloak?
- Keycloak - prevent assignment of roles
- Keycloak only allow specific scopes
- Restrict client access in a single realm with keycloak
- Unique login for multiple clients in KeyCloak
- Keycloak: How can user be filtered for a specific OIDC client by role?
- Restrict front client connexion with groups / roles in a realm