Validating access to applications for user authenticated on an external identity provider


We setup an external identity provider to a Keycloak realm on our local instance. In this external provider, there are thousand of users but only a few of them should have access to one of our applications.

Our current flow is the following: the user wants to login to our application, she then gets redirected to the external identity provider to enter its credentials. When authenticated, the user is redirected to our application and has access to it.
The problem here, is that all users from the external provider can access our applications.

We know that the external provider administrators have somewhat limited access so that only a set of user is allowed access to our application. However, we don’t know how Keycloak is supposed to check whether an authenticated user on the external provider is allowed to be imported in our Keycloak realm.

We are really confused with that and we would like to have some guidance so that we know if we have to configure something special in Keycloak or if we have to add some specific checks at the application level.

Thanks for your help!

You are falling in the authentication vs. authorization trap.
Your app should check for a role that can be set for the user (either via some claims from the external idp or manually in the realm administration depending on your workflow) to authorize the access.

Indeed, it seems we fell in this trap head first… For other readers, this link describes the differences.

In our case, we don’t want to do any manual action and we let the external IDP administrators select who should have access to our applications. So if I understand well, in order to automate the authorization on our side we have to add a mapper in Keycloak to search for a given claim in the ID token received during authentication to the external IDP, and map it (or not) to a claim that will then be checked by our applications.

Is that correct?