Restrict users for different clients

Hello there!
I’ve faced with one use case and haven’t found a solution yet.
Problem is - I have two separated front-end applications with different urls and clients, but both of them (and also back-end services) use the same realm. All users store in one realm. And one of these front-services creates users and I can choose, for which application user will be created. For example, if I choosed service A for user that means the user will be able to login only in service A, the same thing for service B.
My question is - how implement linking clients and users (or maybe group of users)? Is that possible at all? I still want to use only one realm for my services.

I’ve seen this answer many times, but not sure - it’s good for only one client or for my case it also userful advice?

Yes, I haven’t mentioned. I could just authenticate users on my back-end service using Keycloak Java adapter by getting credentials and give token to front-end, but I still need solution using keycloak as well.

I cannot give you a straight forward answer, however I think I can point you to a direction that you can dig a little bit more deeper.
In Authentication section in Keycloak admin, you can copy the Browser flow (maybe Direct grant as well) and add extra execution (before or after user validation). If the built-in executions are not good enough for you, you can check the script execution (mind that you need to enable it on building Kyecloak).

Then with the new Browser flow, you can go to your client and set it as its Browser flow:


You can use the Keycloak Authorization Services to achieve that and adding Custom Policies on resources :

This is a powerful, advanced feature of Keycloak

Thanks, is this Authorization Services available with SAML client ?

i never used SAML client into Keycloak but I don’t think so