I need to set up Keycloak so that users can only access specific applications if they have proper permissions for those apps.
I’m migrating from an old SSO system that worked differently than Keycloak. In the previous system, users needed both a regular user account AND a separate “application account” to log into each specific application. Users could only access an application if they had this special account created for that particular app.
Right now in Keycloak, any user in a realm can automatically log into any client in that same realm. There’s no extra step needed. But I need to add this extra layer of control like the old system had.
What’s the best way to add this kind of access control in Keycloak?
I thought about creating a special role called “AccessGranted” for each client and only giving it to users who should have access. Then I could check for this role before allowing login. But this approach has problems:
- It mixes up authentication with authorization concepts
- I would need to modify code in multiple applications written in different programming languages, which seems like a lot of work
Is there a better way to handle this in Keycloak itself rather than changing all my client applications?
Use Keycloak’s authorization services with resource-based permissions instead of changing your client code. Create a resource for each app in your authorization settings, then set up policies controlling which users can access what. This keeps all access control logic in Keycloak instead of spread across your apps. Configure the authorization flow to auto-deny access when users don’t have the right resource permission - basically recreates your old application account setup. Your existing apps just need to validate the token since Keycloak handles access decisions before issuing tokens. I’ve done this successfully when migrating legacy SSO systems with similar needs.
Had this exact issue when we migrated from legacy SSO to Keycloak last year. Here’s what worked: use group-based access control with Keycloak’s client mappers. Make dedicated groups for each app instead of roles, then set up protocol mappers on each client to only include specific group memberships in tokens. Configure your clients to validate these group claims during auth. This keeps everything centralized in Keycloak without major code changes across your apps. The trick is getting the token mappers right - users without the right group membership get tokens your apps will reject. Way simpler than authorization services for basic access control and basically recreates your old application account setup.
check out client scopes with authorization policies - much cleaner than role workarounds. configure required scopes per client and keycloak handles access control automatically without touching your app code. perfect for migration scenarios like yours.