Realm & Client Isolation

Enforce realm whitelists and per-client policy configuration.

Requirements Coverage

REQ-REALM-001

Support realm whitelist

REQ-REALM-002

Block requests to non-whitelisted realms

REQ-REALM-003

Support per-client allowed realm configuration

REQ-CLIENT-001

Support client ID whitelist

REQ-CLIENT-002

Detect public vs confidential client

REQ-CLIENT-003

Per-client policy configuration

Test Examples

REALM-001BLOCKED

Unknown realm blocked

Sample Request

curl 'https://keycloak-alg:8443/realms/unknown-realm/protocol/openid-connect/auth?\
  response_type=code&client_id=myapp&redirect_uri=https://app.example.com/cb'

Expected Response

{"error":"access_denied","error_description":"Realm 'unknown-realm' is not in the whitelist"}