How to Restrict Token Generation Based on User-Client Access in Keycloak


We have multiple clients set up in a Keycloak realm (e.g., app-A, app-B, app-C) and several users with varying access levels to these apps. For instance, user x3 has access to app-B but not to app-A.

I’ve noticed that even if a user doesn’t have access to a specific client (like user x3 with app-A), they are still able to generate an access token for that client using the token endpoint. This token, of course, doesn’t grant them access to the client’s resources due to the lack of appropriate roles, but I would prefer if the token request itself was rejected with a “HTTP 403 Forbidden” response in such cases.

Question: Is there a way in Keycloak to validate the user’s access to a client before the token is generated? Essentially, I want to prevent users from even obtaining a token for clients they don’t have access to with a “Forbidden” error right away.

I appreciate any insights or guidance on how to configure or customise Keycloak to achieve this behaviour.


1 Like

Hi @amitoj,
I answered this question in the past, so please refer to the following link for details:
:point_right: Client Display Based on Role

I was mentioning in that question that I do not recommend using the IdP as the PEP. The app, API, or API Gateway can act as the PEP based on the token information

1 Like

Thanks @embesozzi, this is very helpful.