I have a Keycloak v26 setup with a single realm that contains:

10 users, all of whom currently have access to all clients.
2 clients: client1 and client2.

I want to restrict login access so that only specific users can log in to specific clients.

I saw that I could use authorization but I am using browser login, not client credentials. Authorization exists only for client credentials flow, which I am not using. I need a way to enforce access control during the login process.

So

User A should be able to log in to client1 but not client2.
User B should be able to log in to client2 but not client1.
User C should have access to both clients.
Users without the required permissions should be denied login.

How can I enforce this restriction in Keycloak v26 during browser login?

I have a Keycloak v26 setup with a single realm that contains:

10 users, all of whom currently have access to all clients.
2 clients: client1 and client2.

I want to restrict login access so that only specific users can log in to specific clients.

I saw that I could use authorization but I am using browser login, not client credentials. Authorization exists only for client credentials flow, which I am not using. I need a way to enforce access control during the login process.

So

User A should be able to log in to client1 but not client2.
User B should be able to log in to client2 but not client1.
User C should have access to both clients.
Users without the required permissions should be denied login.

How can I enforce this restriction in Keycloak v26 during browser login?

• keycloak

Share Improve this question Follow asked Mar 25 at 10:48 Ayodeji ErinfolamiAyodeji Erinfolami 44022 silver badges1212 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

To enforce client-specific login restrictions in Keycloak v26 for browser-based logins (e.g., OIDC Authorization Code Flow), you can use client-level role-based access control combined with authorization policies. Here's how to configure this:

Step 1: Create Client-Specific Roles

1. For client1:

   • Go to Clients→ Select client1 →Roles→Add Role.

   • Create a role named client1_access (or similar).

2. For client2:

   • Repeat the process, creating a role named client2_access.

Step 2: Assign Roles to Users

1. User A:

   • Go to Users → Select User A → Role Mappings.

   • Assign the client1_access role under client1.

2. User B:

   • Assign the client2_access role under client2.

3. User C:

   • Assign both client1_access and client2_access roles.

Step 3: Enable Authorization for Clients

Keycloak’s Authorization Services work for browser logins too. Configure it for each client:

1. For client1:

   • Go to Clients → client1 → Authorization → Settings.

   • Enable Authorization.

   • Under Authorization Scopes, add a scope (e.g., login).

2. Repeat for client2.

Step 4: Create Authorization Policies

Policy for client1:

1. Go to Authorization → Policies → Create.

2. Policy Type: Role.

3. Name: client1_access_policy.

4. Roles: Select client1_access (from the client1 dropdown).

5. Logic: Positive.

Policy for client2:

1. Repeat the process for client2_access.

Step 5: Create Authorization Permissions

Permission for client1:

1. Go to Authorization → Permissions → Create.

2. Name: client1_login_permission.

3. Resource Type: Select the login scope (created earlier).

4. Apply Policy: Select client1_access_policy.

5. Decision Strategy: Unanimous.

Permission for client2:

1. Repeat for client2.

Step 6: Test the Setup

1. User A logs into client1: Allowed.

2. User A logs into client2: Denied (no client2_access role).

3. User C logs into both clients: Allowed.