Hi
I have a keycloak plug on a ldap.
4 Clients are using keycloak to autenticate.
but all LDAP user can log in the 4 cleints.
I would like keycloak to watch if user is in a certain group before authorising autentication.
I did not find a tuto on the internet.
And documentation is not so simple for a beginner in keycloak…
Could you 
confirme what I want is not stupid and possible?
And if possible give me some key word to search howto do it?
Manythanks
Did you find the solution?
Thanks
Kabi
I have some tuto to test but I did not find a good one from now…
I will share the result of course
So continuing on this subject…
I have now my Ldap that has groups.
I creat one groups in Ldap for each client in keycloak
I have link the ldap to keycloak so my user and groups are known by Keyclaok
I have now 2 keycloak group call
I gess I have only to tell a client only to accept user from one group
But I do not see how to do that
Anyone has done this befor ?
Or I have a bad solution to resolv my problem ?
Thanks
Keep going…
In the keycloak/client1 I activate the “Capability config/Authorization” to ON
=> A new Authorization tab appear.
with a “Default Resource” in the ressource tab
I creat in the Policies Tab :
Name Type Dependent permission Description “client1 User” “Group” “Client1 User Permission” “member of client1 group”
In the Permission Tab I creat :
Name Type Associated policy Description “Client1 User Permission” “Resource-Based” “client1 User”
Then going to evaluate tab it seem’s to works.
User1 (which is in client1 groups) has “Permit”
but User2 (which is in client2 groups) has “Deny”
But when trying to log in Client1 application (nextcloud in this case) both user1 ans user2 have access…
Any idea of what I have miss ?
the authorization requires for the client to check authZ as well as authN, which only the Keycloak adapters do, not generic OIDC / OAuth2 clients.
If you want to restrict access, I recomment using an extension like
that I have been using successfully.
Just assign the group to the role restriced-access and only users in that role will be able to access, others won’t.
Hi
Thanks for the help
I have intstall this extension but do not succeed to configure it…
I am on keycloak19 and the githud “How to configure” seem’s not done with keycloak 19…
Where do I need to configure?
Only in the client?
When you says " Just assign the group to the role restriced-access"
where do you realise that configuration
Many thanks
A summarise of where I am…
I have a client with “Authorization” to ON
In the client configuration I have :
Authorization/Ressource/Default Resource => Allow everywhere in this client
Authorization/Policy/ [Only nextcloud Group] => Allow member of nextcloud group
Authorization/Permission/ [Nextcloud Group Permission] => Allowconbination of the 2 Ressource / Policy combination
I have install the [sventorben/keycloak-restrict-client-auth] and try as folow to configure it :
in myrealm I have configure :
Autentication / [browser restricted] => the browser with the “restrict user autentication on client” to require at the end of the flow
But I don’t know where to configure the " Resource Policy based mode" decribe in the howto of github…
Any idea where I have to do it?