Creating an authentication flow with role limits

Getting advice
1

Hi

This is a topic that has been covered here a lot and there are many ways how to do it, depending if you are using keycloak for everything (read everything as: user management, authentication, etc…).

I have setup a system where users in a realm can access clients through
oidc:

  • Redmine
  • Weblate
    saml:
  • cloud services (they have migrated their SSO to OIDC yet)

Now I want to create a flow that will check if the user has a role.

Some of the look at topics:

httpsX://github.com/keycloak/keycloak/issues/10250

httpsX://keycloak.discourse.group/t/limiting-sso-for-certain-users/11985/14

Current setup

  1. Copy browser flow → Browser flow with Role control
  2. Modify to look like picture below.

image
image2092×1065 66.7 KB

The flow should be
Login to client subflow (login either using cookie or User/Pass/OTP) :

  1. User can login with cookie to client if cookie exist and is ok (whatever the flow control does)
  2. User can login if username/password form is ok with OTP being successful
    Login to client checks (renamed to just client checks - this will check if user has role and according to that the flow should allow or deny:
  3. User can login if the user has a role that corresponds to the client.

Will this work, or what should I change in this crazy complicated world of keycloak?

Extra thoughts:

I don’t know if this flow will work for ALL clients, or will it be specific to one.

2

The previous setup creats this image, which seems pretty reasonable.

image
image2152×495 86.6 KB

3
  1. Create Realm role → weblate-user
    image
    image1682×480 16.9 KB
4

  1. Create client weblate

  2. Turn off ‘full scope allowed’ and add realm role (I can’t seem to add client role, it says its not available, so I am using realm role.)

image
image1502×413 37.1 KB

5

  1. Go to Authentication → Flows → Browser flow with role control

  2. Go to Client checks → Condition- User role and it should look like below

    image
    image1602×371 16.2 KB

  3. When I tested it out and tried to login to weblate it

  • redirected to keycloak
  • i logged in and entered otp
  • got 401 unauthorized

But when I have the cookie from keycloak then it doesnt say that, meaning the flow is not working as intended.

6

This is how it looks like in the old UI (same pic as original post)

image
image2097×467 77.1 KB

7

I solved it. The previously shown picture was almost correct.

This is the working version.

When a user does not have a role that is specified in role_check then he/she can’t login to the client application.

image
image1575×679 92.9 KB

8

My flow for keycloak version 20.
You should turn on “Negate output” in " Condition - user role" step and specify client role. Previously create client role and map it to group.

2023-02-27_17-00
2023-02-27_17-001335×871 28.8 KB

9

Hello. Good work. That’s the way it work indeed.
BUT, the pb is that the role is a constant not depending upon the client.
So whenever the user has this role, inherited or not, that will validate the flow.
db