Realm policies are being ignored while getting token

Question

I have two realms, a public webapp and an extranet where only employees can access. I have tried setting group policies.

When I try to connect with an non-employee user, keycloak still returns the access token.

What did I miss?

EDIT.

I made a mistake, I only have 2 clients.

can you share urls you are using when trying to get access tokens for both the realms — Abhijeet, Oct 14 '21 at 12:56
If both clients are from same Realm then access token from one client can be used to access other client — Abhijeet, Oct 15 '21 at 02:19
It's one of the solution, but you can limit the access via other ways as well — Abhijeet, Oct 17 '21 at 12:52

Abhijeet · Answer 1 · 2021-10-18T07:40:20.827

You have to limit the access granted to your access token to achieve this. There are three ways to do it (that I know of)

Audience: Allows listing the resource providers that should accept an access token.
Roles: Through controlling what roles a client has access to, it is possible to control what roles an application can access on behalf of the user.
Scope: In Keycloak, scopes are created through client scopes, and an application can only have access to a specific list of scopes.

You can look at this example which explains the flow on how to achieve this using role based method. You can refer this as well.

1 Answers1