Can not limit client access to a role when connecting from moodle

Securing applications
,
1

Hi everyone,

I’m doing some initial testing with Keycloak.
I have configured Moodle in order to be able to authenticate users against my realm. I have been able to achieve it either usign Moodle’s standard Oauth2 plugin or the 3rd party OpenId Connect plugin provided by Microsoft.

Now I want to limit access to this Moodle to users with a specific realm role called “teacher”.

To do the authentication integration I had to create a client in Keycloak called “moodle” so I’m trying to limit authorization to use this client just to role “teacher”.

For this I enabled authorization for the client and in the default permission I just added a new policy that requests the user to have “teacer” role. I even went to the “Evaluate” tab and checked that for a user with the role the “Default resource” is evaluated to “PERMIT” while it is “DENY” for users without the role.

But Moodle does not seem to pay attention to this config, it just allows everyone to login using Keycloak as a provider.

I’ve seen in StackOverflow that some people suggests creating a Javascript policy instead of using the provided ones or even changing some steps in the authentication flow but this sounds to me more like a workaround.

Is this supposed to work or am I making some conceptually wrong assumptions?
My “Default resource” has “/*” configured as URI although I’m not very sure what this means in this context. Maybe moodle is not asking for any resource ? Maybe authentication for clients only works when using Keycloak adapters and not for standard OpenId Connect clients?

2

Were you able to fix this?
I’m also facing the same issue and can’t find a solution for it

3

Sorry, we were just evaluating Keycloak for a quite ambitious identification project but seeing that things so supposedly trivial like the one mentioned here are already quite complicated we parked it for now.

As you can see there has no been any response after 2 years so I still don’t know if it was a fault in our understanding of how things works, a fault on Moodle or if what we were asking for was too much to expect from the identity management platform.

4

Hello @iblanco, i think this may not be late.
The problem you’re facing is not related to moode but it’s in your browser keycloak login flow. you can limite login to to a specific client with multiple conditions.
You can acheive this by :

1- clone the browser login flow in Authentication tab.
2- add a flow under Username Password Form Flow and make it Conditional. You can call it (e.g role flow).
3- under that flow add an execution of type Condition user role. and configure it to match your desired role. in your case (teacher). and make sure to enable Negate output.
4 - add an execution under the Condition user role of type Deny access.
5 - make sure to activate them.
6- you need to respect the order.
7 - navigate to your client settings. under the Authentication Flow Overrides tab change the Browser Flow with the one you created.

And now the users can’t connect to that client only if they have that specific role.
this is a demo capture of the login flow :

image
image1573×882 94.2 KB