I am trying to achieve a role based access to clients in Keycloak. For instance the users which are mapped to a role say access-only should only be authenticated to a client(for instance Grafana).
I am following an approach similar to https://stackoverflow.com/a/54374808/12281085 and https://email@example.com/keycloak-authorization-service-rbac-1c3204a33a50.
I created two users access_user mapped it to a role access-only and no_access_user and left it unmapped.
Here are few snapshots of the configuration I made.
Created a policy access-only under the client grafana
used that policy in default_permission, applied it to default_resource
When I evaluate the auth flow in keycloak with no_access_user mapped to a role other that access-only, it shows Deny, which is as expected
but when I access the OpenID Connect client which is configured with Keycloak as no_acess_user
I am able to login the client (grafana), ideally no_access_user who is not mapped to access-only role shouldn’t have been able to login to grafana.
Can someone please help me resolve this.
Again I am trying to achieve
I am trying to achieve a role based access to clients in Keycloak.
I did try another method which only works partially https://keycloak.discourse.group/t/role-group-based-authentication-not-working-for-users-authenticated-by-external-idps-azure-ad-github-etc/19427.
I’d really appreciate help here.