Restrict client access to a specific user group via Keycloak

Keycloak as an identity provider should aggregate all your users and should connect to all your client applications. One account for all applications. Keycloak should do the authentication all alone, but may be configured to support the client application doing the authorisation. If you happen to operate an application with no or limited authorisation options, a way to workaround this may be access policies on the keycloak.

This blog entry show how to restrict access to a client to a specific user group. This means a user may or may not login; no further authorisation.

Configuration

All of this is done in Keycloak in your desired realm.

Create a client role (e.g.: access-role). You need to do this inside the client configuration of the application that you want to restrict.
Create a group. Name it as you want (e.g.: access-group) and add the users that should be allowed to login.
Assign the client role to the group.
Edit a client scope that is needed by the application (e.g.: email, profile, etc.). Assign the client role to this scope.

Voilà. Users being a member of the group are able to login. Users not being a member cannot login.

Identification vs. Authentification vs. Authorisation

Previous Blog Entry

Last update: 2026-03-18

Restrict client access to a specific user group via Keycloak

Configuration

Read more