User grouping for multiple web application

Hello,

I have deployed keycloak and oauth2 in my kubernetes cluster. Also, want to protect my 2 web application with keycloak so I have installed 2 application and nginx ingress is used to redirect the request to keyloak login page. I want to restrict my user to access the application. For example the user1 can access the application app1 but not app2 and user2 can access both application and user3 can access app2 but not app1. I have created 3 separate group and added users to it. But none of the user is not able to login to application if I didn’t add email address in their profile. But If I add an email address all users can login to all application. Can somebody help me what wrong configuration I did?.

Adding my oauth2 env variables

- args:
        - --provider=oidc
        - --email-domain=*
        - --upstream=file:///dev/null
        - --http-address=0.0.0.0:4180
        # Register a new application
        env:
        - name: OAUTH2_PROXY_OIDC_ISSUER_URL
          value: http://192.24.89.227:8080/realms/local
        - name: OAUTH2_PROXY_REDIRECT_URL
          value: https://domain-test.com/oauth2/callback
        - name: OAUTH2_PROXY_CLIENT_ID
          value: gatekeeper
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: RjU60ILJdvcX7Lj1Nwb
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: GKNuz-mmMK4PONLK7wJ
        - name: OAUTH2_PROXY_UPSTREAM
          value: https://domain-test.com
          value: https://anotherdomain-test.com
        - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
          value: "true"
        - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
          value: "true"
        - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER
          value: "true"
        - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY
          value: "true"
        - name: OAUTH2_PROXY_GROUPS_CLAIM
          value: groups
        - name: OAUTH2_PROXY_ALLOWED_GROUPS
          value: my-app
        - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
          value: "true"
        - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
          value: "true"

I have tried the steps which is mentioned in the below stack overflow page but it didn’t help.

stackoverflow

I was trying to fix this for long time. so can somebody help me here ?
thanks in advance.

1 Like

I am looking for a solution that is similar to what @arsh is asking. I have 2 applications installed as follows

  1. https://mydomain-test.com. => Grafaba installed
  2. https://mydomain-test.com/airflow => Ariflow installed

UserA wants to log in to only Grafana and UserB can log in to only Airflow, is this possible with keycloack?