Role/Group based authentication not working for users authenticated by External IdPs (Azure AD, GitHub etc)

I am trying to achieve the following:

  • Restrict access to clients in a realm only to a bunch of users(either by using groups, roles or any other method).

I have tried these approaches:

  1. Using Authentication Flows:
    I followed the approach mentioned at - although the method is only for admin access - I modified it for users with a particular role.

    Updated the client setting to use the above Authentication flow

    I created a user (lets name it access_user for the sake of this discussion) and mapped it to the role realm-access-only (which I had configured in the authentication flow as above) manually(username password based users which I created from the Keycloak console), and another user(name no_access_user) who wasn’t mapped to the role. access_user was able to login to the client where as no_access_user wasn’t able to login to the client as expected.
    But the users which were authenticated with an external IdPs like Azure AD, GitHub were also able to login to the client, even though they weren’t mapped to realm-access-only role.

Any help here appreciated.

Mohammed Adain