We have multiple clients set up in a Keycloak realm (e.g., app-A, app-B, app-C) and several users with varying access levels to these apps. For instance, user x3 has access to app-B but not to app-A.
I’ve noticed that even if a user doesn’t have access to a specific client (like user x3 with app-A), they are still able to generate an access token for that client using the token endpoint. This token, of course, doesn’t grant them access to the client’s resources due to the lack of appropriate roles, but I would prefer if the token request itself was rejected with a “HTTP 403 Forbidden” response in such cases.
Question: Is there a way in Keycloak to validate the user’s access to a client before the token is generated? Essentially, I want to prevent users from even obtaining a token for clients they don’t have access to with a “Forbidden” error right away.
I appreciate any insights or guidance on how to configure or customise Keycloak to achieve this behaviour.