[Feature] Support for configuring different role per client about keycloak-restrict-client-auth HOT 7 CLOSED

I think this extension already supports exactly what you want to achieve. I think there is a misunderstanding regarding the role name that you can configure globally. Can you check if the information in #118 helps.

If not, please let me know and I try to explain in more detail.

from keycloak-restrict-client-auth.

Hello @danifr,

thanks for the feature request.

Are your roles slack_user and role_gitlab realm-level roles or do you have two clients (slack and gitlab) each defining the corresponding role as a client-level role?

Regards
Sven-Torben

from keycloak-restrict-client-auth.

@sventorben, thanks for your quick answer.

I guess it can be either of them.
Maybe client-level role will be a bit cleaner for my use-case, but I wouldn't mind adding them as realm roles.

Full disclosure, before I was using this SPI https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-require-role-extension but unfortunately I couldn't make it work with the new version of Keycloak (quarkus distro)

Thanks a lot!

from keycloak-restrict-client-auth.

Can you elaborate a bit, why you need different names for the roles? If client-level roles work for you, then each role is already client-specific. Why would you want to encode the client name in the role name again?

from keycloak-restrict-client-auth.

Sorry for the confusion. I will try to explain my scenario better.

We have 2 different applications protected by Keycloak: GitLab and Slack. They are using 2 different keycloak clients.

Now, of all the users I have in Keycloak I ONLY want the ones that are in the group slack_users
to be able to login to Slack and ONLY the ones that are in gitlab_users to be able to access GitLab.
The users in slack_users and gitlab_users are not the same.

My idea is to implement this restriction via "required roles", so in this case the authentication flow for the Gitlab
client will require the specific role (i.e gitlab_users_role). This role will be mapped to the members of the gitlab_users group.

Likewise for Slack but in this case with the slack_users group and slack_users_role.

But my understanding is that you can only configure one global role. So if I do:
spi-restrict-client-auth-access-provider-client-role-client-role-name=gitlab_users_role

It will be only restricting for the gitlab_users_role.

I hope this makes better sense. Thank you very much.

from keycloak-restrict-client-auth.

Do you think this is something that can be achieved? Thanks!!

from keycloak-restrict-client-auth.

Indeed #118 (comment) looks like exactly what I need!

Danke schön Steven-Torben!!!

from keycloak-restrict-client-auth.