Can a resource be protected via policy without client adapter?

Hello everyone,

In the past few days I have been evaluating Keycloak in order to to be used in our organization because of the strong integration with Shinyproxy.
I was able to successfully configure a few apps via oidc (Shinyproxy and Flask-Appbuilder) for authentication, what I am working on right now is the authorization part.
What I can’t figure out is how to protect a resource via roles.

Here is an example: I configured a new confidential client to be able to authenticate against Keycloak with Flask-Appbuilder (which is based on Flask and has built in integration with openid-connect).
What I would like to do is be able to do is deny access to this whole client if a user does not belong to a certain group. I have tried to configure a policy and a permission like explained in the manual but the user is still able to login. Does this mean that in order to have this type of authorization the app itself needs to implement this via an adapter?
Also in the documentation it says that it’s possible to edit the Default policy but in my installation I can only delete a Default policy, if I open it to edit everything is grayed out.

Can someone shed some light on this?

Thanks in advance,


Please correct me if I’m wrong but it looks like the only way to allow/deny access to a client based on a role server-side would be to implement a javascript authenticator provider.
I though I could get away with using a “Condition - User Role” execution but it seems not to do what I am expecting…


Struggling with the same issue. Did you ever find a solution? The “Condition - User Role” Option seems to be very poorly documented.

1 Like

I’m having the same issue, the “Condition - User Role” just does not work as expected. Did you find a solution? I’m thinking I will have to implement a Authentication Provider here…

Hi. Same issue here. The “Condition - User Role” is ignored no matter where I put it. Tried almost all combinations in a new Authentication Flow.

We have the same issue! We search for a way to protect a client application from getting entered via roles.

We didn’t find a way to do that with SAML auth. Pls Help

This is an older topic, but the recent documentation updates they made make it much clearer, albeit still not that great.

Essentially, what works well for me, is that you want to do the opposite of what you are looking for. you want to deny people who dont have the role, not allow people that do have the role (like you would normally think).

Example they have:

In this example, there is a Conditional sub-flow to do the role check.
The first execution role check they have checks for the role, and it NEGATES it. So while you want to find people with this role, you need to do so in the opposite way.

So based on the above flow, if I do not have that role, then the Deny below the role check will end up denying me. But if i do have the role, then the Deny doesnt get processed, and I move past it.

The updated documentation explains it better nowadays too: Server Administration Guide