Check user group of already logged in user in KeyCloak

Question

I have two application, both are using keycloak to authenticate user of the same realm. I've created two different client, and two different user group. Only users of a specific group can access to corresponding application. I'm using this custom extension to verify user group after user login. I've created two different user flow based on Browser Flow, one for group, and I've configurated each client to use the relative user flow. This is working fine when a user tries to login.

I'm giving an example to better explain: I have two group A and B. One user belongs to group A. When the user isn't logged, he can access to application A but he can not access to application B.

What I cannot prevent is user access to application B when he is already logged into application A. This is happening because Browser Flow has a cookie step that gives authorization of users already logged.

Is there a step to check user group (or other user information) after the cookie step?

Answer 1

I found this solution: I created a new authentication flow, at first level I've created a sub flow containg the standard Browser Flow and always at first level I've added the execution of group verification.

Both step at first level are marked as required.