How to configure a time-limited user client access in Keycloak?

Question

We have to configure a time limited access per user and per client in keycloak. E.g. User a should have access to confluence from 2017-11-06 until 2018-11-06.

We configured a time-based policy in the keycloak admin console and checked sucessfully the conditions with the built-in evaltation page.

Clients >> Confluence >> Authorization >> Policies

But keycloak didn't evaluate the policies during the login of the user.

Our first assumption was that keycloak sould evaluate these policies while user authentication, but none of the policies we configured had any impact to the user authentication (The user can login independent of the policy configuration of the keycloak). We assumed that the client (e.g. Confluence) has to evluate the client policies. Is our assumption correct?

Please could you be so kind to give us hint how to configure user access policies in keycloak that will be evaluate during the user authentication?

Answer 1

The policies are all about authorization only!

They have no impact on authentication.
Authentication is just the verification of the login credentials.

Keycloak itself is not making any authorization decision. It just provides data, such as claims, roles and permissions that can be used by a client (i.e. application) to make authorization decisions.

Depending on the defined policies an authenticated user has specific roles and permissions in the corresponding access token. The application then is responsible to allow or deny access for specific functionality or data based on the user's provided roles and permissions in the token.

That is, the policy you described will influence the permissions of the user. Before 2017-11-06 and after 2018-11-06 some required permissions will not be in the user's access token and therefore access to some functionality will be denied by the application.

Sorry, but I have no idea how this works in Confluence.