Keycloak: Role based client log-in access restriction for users
The solution proposed by @Stuck is a great start, but it has a significant flaw: When the user has already authenticated, e.g. via the standard flow of another client that did not require the role, the password form flow will never be triggered. Consequently, the user will be logged in via the cookie flow without ever checking for the role.
In other words: If there are other clients (such as the account console) that do not require the role, anyone can bypass the role check.
To fix this there needs to be an additional flow layer that includes all authentication executions, that is followed by the authorization step (no matter what authentication flow was used). The final result will look like this:
You can do this without extensions.
- Copy the desired flow (e.g. the browser flow)
- Create a new sub flow (e.g. for the browser forms) and call it
Access By Role
and selectgeneric
as type. - For the new sub flow ensure that
CONDITIONAL
is selected in the flow overview. - For the new sub flow add execution
Condition - User Role
, make itREQUIRED
and configure it:- alias: admin-role-missing
- role: admin (or whatever your role is)
- negate: true
- Add another execution:
Deny Access
and make itREQUIRED
as well.
The final result should look similar to this:
This will deny access if the condition "admin-role-missing" is true.
You an also learn more from the docs: explicitly-deny-allow-access-in-conditional-flows
Also, don't forget to go to your client and select the flow in the authentication overrides.