problem
integrating grafana with keycloak
a realm: zzy, two users: daicy,sscc
when I hit the Grafana URL, it is redirecting to keycloak and authenticating the user.
result:
daicy,sscc all can pass
hope:
sscc can pass, daicy failed.
What do I need to do to get the hope result.
Methods i tried
i read the keycloak document user based policy
then i follow the document, but failed, all users can authenticated.
Here are my setting up for authorization:
Anyone managed to go through this?
Identity provider is for authentication (not for authorization). If you want to use authorization services, then they must be supported on the Service Provider side (Grafana in your case).
Unfortunately, Grafana doesn't support Keycloak authorization services out of the box. It supports only role based authorization (role_attribute_path). Unfortunately, you can't deny access for authenticated users on the Grafana side, because they will always have at least Viewer role - https://github.com/grafana/grafana/issues/23218
