How can I restrict client access to only one group of users in keycloak?

On Keycloak admin console, go to Clients menu, select your client. On the client configuration page, set Authorization Enabled: On, click Save. A new Authorization tab should appear, go to it, then to the Policies tab underneath, click Create Policy and select Group-based policy. There, you can restrict access to specific groups, assuming you have defined your groups via the Groups menu already.

--EDIT 2019-11-08--

As mentioned in comments, Client Protocol must be set to openid-connect and Access Type must be set to confidential, in order to make the Authorization Enabled option visible.

I found a solution which does not require the scripts extension or any changes on the flow.

The key for this solution are the Client Scopes. An application which wants to to authorize a user needs a scope like email or uid, right? What if you only pass them to an application if a user is in a specific group?

In the following, my client application name is App1.

Solution:

1. Go to your client roles (realm -> Clients -> click App1 -> Roles)
2. Click 'Add Role' -> enter Name (e.g. 'access') -> click 'Save'
3. Go to Client Scopes (realm -> Client Scopes)
4. Click on the scope which is needed by your client application (e.g. 'email')
5. Assign Client Role 'access' in 'Scope' Tab by choosing client application 'App1' in Drop Down 'Client Roles'

Now, you won't be able to log into your client application App1 anymore, as the role 'access' is not assigned to any user or group. You can try.

Let's create a new group and assign the role and a user to it.

6. Create Group (realm -> Groups -> Click 'New' -> enter Name 'App1 Users' -> Click Save)
7. In the Group, choose 'Role Mappings', choose 'App1' in Client Roles drop down, and assign the role 'access'
8. Assign User to 'App1 Users' (realm -> Users -> Click on User -> Groups -> Select 'App1 Users -> Click Join)

Voila, the chosen user can log into App1.