After using others IAM solution, I’m trying to figure out how authorization is supposed to work with Keycloak.
In a testing environement, I’ve connected an apache application with mod_auth_openidc, and the authentication works great.
Now, I’ve 2 users, and I modify in Keycloak console the client in order to make authorization, I set a User type policy to replace the default policy, in order to authorize only user1. But user2 can still login into the application, when I expect a denied access.
After reading some post in the forum, duplicating the browser flow can be a solution to solve this issue. But it doesn’t look like a good way to use for a huge company with a lot of clients (or I’m wrong? )
Why the authorization rules of the client doesn’t work ? Why user2 can still reach the application ? Can you tell me how I suppose to use properly the Authorization configuration in the client ?
In other IAM solutions, I set control access based on groups, for exemple URI /admin to admin group, URI /user to users groups, … There is an easy way to set this kind of configuration in Keaycloak ?
Thanks for your advices!