Keycloak - Assigning role per tenant

I am using KeyCloak for my SaaS for retail stores where a single user might have a different role based on the store they log in to, e.g.

Store A:
  - User A: OWNER
  - User B: Cashier
Store B:
  - User B: Owner

...

i.e., user B is a cashier at store A and an owner of store B. This means when they are working at store B they have different (more) permissions

I have been following the accepted answer on this post keycloak - give users different permissions per tenant / account - Stack Overflow where each store in the platform has it’s own KeyCloak client. When the user logs into that client, the only the user’s role for that client is returned in the token which can then be used by my app.

I have also created a public-client which is the default clientId for the app (Blazor WASM) so the user can perform the initial login and get the stores that the user is associated with from the backend API. The rationale for this was the browser does not know initially where the user is logging in from, and I would like that flexibility in my app to switch between clients.

I have tried a few things to get this to work:

  • Directing the user back to KeyCloak after selecting the store with the clientId associated with that store as a query parameter
  • Adjusting the .NET services container but this does not seem to be possible.

Essentially, I am at the stage where I can get the initial JWT using the public client, but when I want to get the user using the store’s KeyCloak clientId I can’t get it to work. I’m a little stuck as to where to go from here, is there a particular way in KeyCloak to enable this?