Hi - I am currently trying to limit the possibility to login to specific groups for one client. I have set up this a couple of versions ago but I cannot get it working again. From the posts concerning this topic I can see that more users are struggling with this task and I wonder if something has changed her in the last versions? I am currently using KC 21.1.1 but could probably update to the most current version if this was a regression.
This is frequently asked…
Restricting access to a client is normally not in scope, or not in responsibility of an authentication provider, as this is authorization, not authentication. It‘s in the responsibility of the clients (applications)!
However, there are approaches like GitHub - sventorben/keycloak-restrict-client-auth: A Keycloak authenticator to restrict authorization on clients. But this is more convenience than real security.
I agree 100%, the IdP is not a PEP.
1 Like
Ok - I can understand (and agree with) this. What bothers me is that I am quite sure that this used to work in an older version. But then I have to live with it unless I can change the behavior of the application I am trying to get working.
for further reading, there have been some discussions on this in the past:
1 Like