Can't get Keycloak to deny access if user not in group/role policy

I am a first time user of keycloak (after checking out a lot of different SSO solutions) so please bear with me. I have read a lot of articles and followed some tutorials to get things set up properly. I have things working now (Nextcloud authenticating through the nextcloud-social-login plugin with Keycloak), with user roles being properly assigned in Nextcloud. But I can’t seem to get the last bit working. I want to restrict access to Nextcloud to users in my realm who belong to a certain group. Reading the internets, it all sounds very simple, just enable authorization on the client and create a new group policy and selecting the group users need to belong to and set logic to positive. I did this and started first testing using a test user which orked with logging in before authorization was enable and does not sit in any group. But even with the group policy in place, i can still log in with the user that isn’t in the group. I left “Groups claim” empty, but also tested with “groups” filled in. After each successful login with the test user i log the test user out and delete the newly created user from Nextcloud. I have tested with adding the new group based policy to the default permissions and without. I have tested with evaluation, selecting the client, user, default resource and each time it evaluates to DENY (due to the user not being in the group it needs to be). but when logging in with this test user, keycloak will still allow the user access to the Nextcloud instance. I have also tried all this using a role policy, but that didn’t work either.

did i miss something to make this work?

any help is appreciated.

Hi, it looks like we’re on the same boat…did you ever figure it out? I am coming to the conclusion that the policies only work if the app you’re trying to protect is using a keycloak client adapter…

sorry for the late reply,rather busy with corona. not the best time to start a restaurant.

I didn’t “fix” it in the end. was some time ago as well. I needed to hook it up with nextcloud. I used the social login extension (the other one I couldn’t get working) and in the social plugin I made it so you have to be part of a group to get access. then I mapped users who should have access to the “client” and made it so that they will be part of a default group that gets mapped to a group in nextcloud and then they gain access. I haven’t tested with adapting one of the keycloak default clients.

Get TypeApp for Android

Hi, thanks for the reply…in the meantime I was able to manage to get something going by creating a javascript policy.


Would you mind sharing how you did that? because that’s the first thing I wanted to try and what all the solutions were pointing at but keycloak is very new for me and just could not understand how to do it.

Get TypeApp for Android

After fighting for a day, I got this answer from StackOverflow working:

  • Bundle script in a JAR file as documented here, deploy it by copying to standalone/deployments/ (see manual link)
  • Enable scripts: Start Keycloak with -Dkeycloak.profile.feature.scripts=enabled
  • In your realm, create a new flow. Duplicate the Browser flow in a required subflow, and add the script authenticator as final (required) element:
  • Now add to all clients which should be restricted a client role feature:authenticate. Users which don’t bear that role won’t get access to the application.


Just wanted to give you thanks. I set up another service and
wanted to have it work properly with group/role authentication and
got stuck again but have it working now. I thought I had to make a
copy (clicking on the copy button) of the browser flow and add the
js auth script s execution at the end. But rereading and taking a
good look at the screenshot you gave I finally figured it out.