I’m trying to figure out how to set up Keycloak so that users need a specific association with a client before they can log in. Right now, any user in a realm can access all clients, but I need to limit access based on user-client relationships.
I thought about creating a client role called “Authorized” and assigning it to users who should have access. Then I could check for this role during login. But this approach has some issues:
It mixes authentication and authorization.
I’d have to add extra checks in multiple client apps using different programming languages.
Is there a better way to handle this in Keycloak? Maybe some built-in feature or configuration option I’m overlooking?
I want to keep the single sign-on functionality. The goal is just to let admins control which users can access which clients without requiring multiple logins.
Any suggestions on how to implement this user-client association concept in Keycloak would be really helpful. Thanks!
In my experience, a solution that worked well was to avoid mixing authentication with authorization by utilizing Keycloak’s group feature along with client scopes. I set up a separate group for each client and assigned the corresponding users to that group. Then I used a custom client scope to evaluate the group membership during authentication. This route neatly separates concerns, maintains single sign-on, and keeps the application code clean by offloading the access control checks to Keycloak. Crafting the client scope script was challenging initially, but once established, it proved very effective in controlling access.
hey, have u considered using group-based access control? u could create groups for each client and assign users to those groups. then use group membership protocol mapper to check during auth. it keeps sso intact and doesn’t need changes in ur apps. plus, it’s easier for admins to manage access. just my 2 cents!
Having dealt with similar requirements, I’d recommend leveraging Keycloak’s Protocol Mappers. You can create a custom mapper that checks for a specific attribute or group membership during the authentication process. This approach keeps the logic centralized within Keycloak and doesn’t require changes to your client applications.
To implement this, you’d first set up the necessary attributes or groups for users. Then, create a custom Protocol Mapper using JavaScript to evaluate these during token issuance. If the user doesn’t meet the criteria, the mapper can either exclude certain claims or return an error, effectively denying access.
This method maintains SSO functionality while giving admins granular control over user-client associations. It’s more scalable and easier to manage than client-side role checks, especially when dealing with multiple clients across different technologies.