I have a fleet of applications that need a new OAuth/OIDC server as the previous one was discontinued and Keycloak was the obvious choice.
I think that the number of applications that will have to use the realm will be around 20 little applications at least and they need to call each other in different ways with different client configurations etc.
I need to be able to have the JWT I request to contain the roles of the applications each application is interested about, but only the roles belonging to the user. scopes look like a good way to group stuff, or even have single subsets of permissions to be asked optionally.
The issue is that mapping scopes to ASP.NET 8 authorization policies or roles is a bit of a pain, so I still need roles. and I don’t want to hardcode roles inside scopes via mappers because that would be absolutely painful to maintain and would mean throwing away a good chunk of keycloak’s pretty good UI and role management.
so can I do that? can my roles in the JWT be an union of the roles the scopes have and the user has plus the base roles that do not belong to any scope?
stuff being part of the JWT is important because it can make the system support more load since you don’t have to make an extra call somewhere that may become a bottleneck when there is quite a bit of traffic.