OpenId and authorization


I’m new in the world of sso. I’m working for migrate to Keycloak. Everything’s work find, all account are transferred, but I thinks I miss something about the authorization flow for user.

I created a policy, and it’s working fine with the evaluate tool . But I can connect with the login page even if the user don’t match the policy.

For the connexion I use :

/protocol/openid-connect/auth?+ “?client_id=”+ client_id + “&response_type=code”+ “&scope= openid&redirect_uri=” + redirect_uri

I think I miss Something but I can’t find what is it.

Or I need to block access with the result of the JWT ?

The authentication is completely separated from authorization. Two different things.
OIDC is about authN, not authZ.

1 Like

Can a group policy be applied for the Client in Keycloak to restrict access?

E.g. Only allow lastName=Smith access

Hi Vincent,

Were you able to get a solution?

I have the same issue. I created resources, policies and permissions. The evaluate tab in Authorization gives me correct results - PERMIT/DENY based on my policies and permissions.

But the same doesn’t work in Kibana. There, all the users in the realm are able to log in. Authorization is not being applied.