I have been digging into various forum posts that are now a few years old, and I am stuck on an issue.
To preface, I’m aware that Keycloak is an identity provider foremost, and I am looking to do more along the authorization front.
I want to enable Group-based authentication for various clients within my Keycloak realm. This would permit only certain groups access to certain applications (i.e., Group A has access to specific apps, and Group B has another set; these sets could overlap).
I have created a client in my Keycloak Realm and enabled Authorization. Then, in the Authorization tab, I went into policies, created a custom group-based policy, and included the groups I wanted to access the application. I removed the default “allow all” policy and ensured the enforcement mode was set to “Enforcing”.
With all that setup, a presumably unauthorized user could still gain access to applications that the policy should deny. I returned and created custom permissions attached to the default resource, but that still didn’t work.
I tried then creating custom provider hooks as per this post;, however, the API is rather ambiguous, and I would much prefer a native approach.