Client Permissions on Resources not reflecting on Clients

Hi team,
I am trying to achieve a role based access to clients in Keycloak. For instance the users which are mapped to a role say access-only should only be authenticated to a client(for instance Grafana).

I am following an approach similar to https://stackoverflow.com/a/54374808/12281085 and https://medium.com/@harsh.manvar111/keycloak-authorization-service-rbac-1c3204a33a50.

I created two users access_user mapped it to a role access-only and no_access_user and left it unmapped.
Here are few snapshots of the configuration I made.
Created a policy access-only under the client grafana


used that policy in default_permission, applied it to default_resource

When I evaluate the auth flow in keycloak with no_access_user mapped to a role other that access-only, it shows Deny, which is as expected



but when I access the OpenID Connect client which is configured with Keycloak as no_acess_user

I am able to login the client (grafana), ideally no_access_user who is not mapped to access-only role shouldn’t have been able to login to grafana.

Can someone please help me resolve this.

Again I am trying to achieve

I am trying to achieve a role based access to clients in Keycloak.

I did try another method which only works partially https://keycloak.discourse.group/t/role-group-based-authentication-not-working-for-users-authenticated-by-external-idps-azure-ad-github-etc/19427.

I’d really appreciate help here.

Thanks,
Mohammed Adain