How to map user roles to activity

I have a keycloak implementation that I use to authenticate/authorize users in my app. I’ve deployed keycloak on our setup and setup a realm, a client, a couple of roles (user, manager) and a couple of users u1 and u2 one with role user and the other with role manager.

I am calling the keycloak REST API to authenticate the user and then another one to get the roles associated with that user from the token received.

I have a couple of API’s that I have in my system: doThis and doAnotherThing. doThis needs role “manager” only User not allowed. doAnotherThing works for both roles.

Right now, I internally have a map of API to the roles that can call them. (this is in my code itself - a simple Once the user logs in it returns an access token. The client then calls the API doThis with the access token it just received. Now, in the doThis API, it gets the token and then gets the roles this token (user) has and checks the internal map I have, to see if this API has that role listed against its name.

If yes - the rest of the code proceeds else doThis returns a 401 error.

Can this mapping of roles to API be done better? I know that the client in the keycloak setup is meant to indicate a service. But we create a user under a client right? How do we have the same user under multiple clients? Also, when we call the authenticate user API in keycloak, we have to pass client ID as a parameter. For a user with multiple roles (in other words access to multiple API’s), how do we decide which client to pass? Can we pass multiple clients?

Please suggest.

Thanks in advance.