OpenId and authorization


I’m new in the world of sso. I’m working for migrate to Keycloak. Everything’s work find, all account are transferred, but I thinks I miss something about the authorization flow for user.

I created a policy, and it’s working fine with the evaluate tool . But I can connect with the login page even if the user don’t match the policy.

For the connexion I use :

/protocol/openid-connect/auth?+ “?client_id=”+ client_id + “&response_type=code”+ “&scope= openid&redirect_uri=” + redirect_uri

I think I miss Something but I can’t find what is it.

Or I need to block access with the result of the JWT ?

The authentication is completely separated from authorization. Two different things.
OIDC is about authN, not authZ.

1 Like

Can a group policy be applied for the Client in Keycloak to restrict access?

E.g. Only allow lastName=Smith access