How can I restrict access to my Gitlab instance to certain OIDC SSO groups created with Keycloak?

I have a Gitlab instance where we can connect in SSO with Keycloak in OIDC (omniAuth). Which works perfectly.

I have a keycloak instance accessible via a url that allows me to manage groups, users…

I would like to restrict the access of my GitLab instance to some present groups in my Keycloak how can I do that ?

I have already tried to create roles by assigning them to groups, I have also tried to add policies to my client by adding groups that should have no access but it does not restrict access.

I tried to follow the exchanges on the following pages:

But following what it says, I don’t have the desired result.

If someone has an idea, thanks in advance.

Here is my configuration for my client:

Should I use flow ?