We are currently configuring authorization to deny/allow access to certain resources. However, we can always access the resources that is limited to certain users only.
I’m having this issue as well, I’ve been able to set up an authorization flow using Permission -> Policy -> Resouce, and can evaluate users to be Permitted or Denied to the resource, but when they try to access the resource they are always able to access it.
Were you able to solve this?
My instance was discussed here, resulting in the following answer:
We don’t have anything OOTB that could restrict access to applications when users are authenticating to your applications. For that, you would need to customize your authentication flow and use a JavaScript Authenticator that decides whether or not the user is allowed to proceed in the authentication process.
You may also take a look at the Client Authorization Extension. See Extensions - Keycloak. Note that this is not supported by us but an extension provided by our community.
The Authorization Services capabilities are mainly about enforcing access to protected resources in your application after the user is authenticated. That is why you need to enable the policy enforcer.
I will look into the Client Authorization Extension, maybe it is right for you as well if this is still an issue.
I tried to test JS Policies but I haven’t figure out the implementation. http://keycloak.discourse.group/t/deploy-a-javascript-policy-in-keycloak-10/2982