diff --git a/src/middlewares/auth-provider/keycloak.ts b/src/middlewares/auth-provider/keycloak.ts
index de8ed42..05d856f 100644
--- a/src/middlewares/auth-provider/keycloak.ts
+++ b/src/middlewares/auth-provider/keycloak.ts
@@ -16,11 +16,7 @@ const jwtVerify = createVerifier({
 
 const jwtDecode = createDecoder();
 
-export async function keycloakAuth(
-  request: Express.Request,
-  _securityName?: string,
-  _scopes?: string[],
-) {
+export async function keycloakAuth(request: Express.Request, roles?: string[]) {
   const token = request.headers["authorization"]?.includes("Bearer ")
     ? request.headers["authorization"].split(" ")[1]
     : request.headers["authorization"];
@@ -49,6 +45,12 @@ export async function keycloakAuth(
       }
   }
 
+  if (Array.isArray(roles) && roles.length > 0 && Array.isArray(payload.roles)) {
+    if (!roles.some((a: string) => payload.roles.includes(a))) {
+      throw new HttpError(HttpStatus.FORBIDDEN, "คุณไม่มีสิทธิในการเข้าถึงข้อมูลดังกล่าว");
+    }
+  }
+
   return payload;
 }
 
diff --git a/src/middlewares/auth.ts b/src/middlewares/auth.ts
index 75f3773..ad0bb1e 100644
--- a/src/middlewares/auth.ts
+++ b/src/middlewares/auth.ts
@@ -6,11 +6,11 @@ import { keycloakAuth } from "./auth-provider/keycloak";
 export async function expressAuthentication(
   request: Express.Request,
   securityName: string,
-  _scopes?: string[],
+  scopes?: string[],
 ) {
   switch (securityName) {
     case "keycloak":
-      return keycloakAuth(request);
+      return keycloakAuth(request, scopes);
     default:
       throw new HttpError(HttpStatus.NOT_IMPLEMENTED, "ไม่ทราบวิธียืนยันตัวตน");
   }