Group Based Client Authentication

Hi everyone!

I have been digging into various forum posts that are now a few years old, and I am stuck on an issue.
To preface, I’m aware that Keycloak is an identity provider foremost, and I am looking to do more along the authorization front.

I want to enable Group-based authentication for various clients within my Keycloak realm. This would permit only certain groups access to certain applications (i.e., Group A has access to specific apps, and Group B has another set; these sets could overlap).

I have created a client in my Keycloak Realm and enabled Authorization. Then, in the Authorization tab, I went into policies, created a custom group-based policy, and included the groups I wanted to access the application. I removed the default “allow all” policy and ensured the enforcement mode was set to “Enforcing”.

With all that setup, a presumably unauthorized user could still gain access to applications that the policy should deny. I returned and created custom permissions attached to the default resource, but that still didn’t work.

I tried then creating custom provider hooks as per this post;, however, the API is rather ambiguous, and I would much prefer a native approach.