I have an application that uses OIDC. I created a client and everything is working normally; I can log in with the users.
Now, I want to restrict access to certain groups, but I would like the filtering to be handled at the Keycloak level, not in the application using the token. That means if a user is not part of the group, Keycloak should not generate a token for them.
So far, I’ve tried many solutions with the help of ChatGPT, but I keep going in circles, and users outside the group are still able to log in.
Has anyone already set this up and tested it?
You can create a new authentication flow and use a custom authenticator like this:
GitHub - Nithe14/keycloak-membership-authenticator: A simple Keycloak Authenticator that checks if the user is a member of one of the provided groups..
Then, override the browser flow for your client. Note that this will restrict access to the client only for the browser flow, so the direct grant flow will still generate a valid access_token.
I think your approach is flawed:
A login in keycloak is always on the realm, and then the you get a token ( that is why it is call SSO). So any ‘filtering’ on the login side (besides just having only allowed users, e.g. via ldap filtering in the realm) has many ways to get circumvented. The relying party (=client) needs to apply that filtering anyway, so do it now.
2 Likes