Keycloak authorization

Hi to all, I’m trying to test the authorization process on keycloak on a openid connect client.
I’ve enable the authorization and associated a simple permission on a resource (/*) with related policy that authorize only one user to that resource. well, if I test the policy with the evaluate function and I try two differente users the only one that is authorized is ok the other one no. so it seems that the authorization process works fine.

after this I test the client with an external provider like https://oidcdebugger.com. at this point I retrieve the json token for both user after authentication when I expected to not enter with user not included in the policy… I miss something?

I am currently in the same (or similar) boat. If i deny a user access to client based on a group i expect keycloak the block the authentication. But instead keycloak leaves that to the application. (by providing this information to the SP application.

I can understand the design concept of it. And it may be right in that regard. But i don’t find it logical. And i even can’t find a good workaround. The only workaround i found requires a users to re-authenticate for login attempt.

Here some links

1 Like