Restrict user access

[Sar]

Feel like i've been spinning in my wheels for a while. I read the docs (especially authorization) several times and tried following the example but can't get what i want to work as expected. So, here's the big picture.

I have an app that knows nothing about authn and authz that i want to make publicly accessible. So using traefik as a proxy and keycloak to handle authn. Everything works as expected. End user requests page, gets re-routed to keycloak authentication, and if username and password are valid, the user is redirected to the app and all is good. I now have a new requirement to satisfy. I have another similar application, however i want a subset of users to be able to access it. One idea was to create a new realm, but am trying to find having multiple user accounts. I came across the authz docs and figured that maybe i can leverage that. Here are my questions:

- Is it possible to restrict access to an application (app is a standalone app with no ability to do any authn or authz) using keycloak AND not modifying anything on the app side?

I followed the steps here but i was still able to access the application. Not sure if i'm misunderstanding a major concept or whether it's a simple config that somehow i missed after staring at this for too long, but some confirmation of whether that's actually possible would be great.

[Geoffrey Welch]

Keycloak doesn't have a builtin option to deny access based on the client or any other criteria. The expectation is that the app has some way to block access based on attributes or groups passed via SAML/OAUTH.

You can make a custom authenticator plugin to do this see https://www.keycloak.org/docs/latest/server_development/#implementing-an-authenticator and https://www.keycloak.org/docs/latest/server_development/#implementing-an-authenticatorfactory for documentation on how to do so.

This is a common problem with authentication servers that I've found. Some applications (Mattermost) refuse to do any authorization and have no way to restrict access if the SSO says they can login and refuse to add support for it saying it's the IDPs job, other applications will let you allow based on either attributes passed in (grafana) or groups (Jira/Confluence MiniOrange plugins). Keycloak, as far as I can tell, refuses to provide a builtin way to restrict based on group or attribute and says it's the applications job. There are other IDPs that don't have an issue with providing a way to restrict authentication based on groups or other data (authentik, authelia...)

[Sar]

Following up on Geoffrey's response (thanks), I was wondering if this was something that could be handled at the Authz instead of the Authn layer with policy enforcement. If the application is configured as an OIDC client with authorization enabled and setting up permissions on the default resource to deny access. Shouldn't it in that case, allow the user to log in so authn completes successfully, but then policy is enforced and it hits authz and throws a 404 to the user. Guess I'm not very clear from the docs, why this scenario isn't doable.