Can not limit client access to a role when connecting from moodle

Hi everyone,

I’m doing some initial testing with Keycloak.
I have configured Moodle in order to be able to authenticate users against my realm. I have been able to achieve it either usign Moodle’s standard Oauth2 plugin or the 3rd party OpenId Connect plugin provided by Microsoft.

Now I want to limit access to this Moodle to users with a specific realm role called “teacher”.

To do the authentication integration I had to create a client in Keycloak called “moodle” so I’m trying to limit authorization to use this client just to role “teacher”.

For this I enabled authorization for the client and in the default permission I just added a new policy that requests the user to have “teacer” role. I even went to the “Evaluate” tab and checked that for a user with the role the “Default resource” is evaluated to “PERMIT” while it is “DENY” for users without the role.

But Moodle does not seem to pay attention to this config, it just allows everyone to login using Keycloak as a provider.

I’ve seen in StackOverflow that some people suggests creating a Javascript policy instead of using the provided ones or even changing some steps in the authentication flow but this sounds to me more like a workaround.

Is this supposed to work or am I making some conceptually wrong assumptions?
My “Default resource” has “/*” configured as URI although I’m not very sure what this means in this context. Maybe moodle is not asking for any resource ? Maybe authentication for clients only works when using Keycloak adapters and not for standard OpenId Connect clients?