Nested Token - Permissions per Group

Hello all,

I’m planning to integrate Keycloak into my existing application to replace the old system.

My use case provides that users receive a selection of groups and associated roles.
Groups represent independent organizations. Roles usually differ in read and write permissions, so far there are 6.
Users can then have different roles in the various organizations.
For example, a user can have admin rights in OrgaA and read authorization in OrgaB.

In addition, the groups have a self-assigned ID, which the backend needs (if not otherwise possible, name would also be fine)

For the group ID, I have assigned an attribute group_id to each group and included this as a user attribute mapper in the token.
In my current implementation, I receive all group IDs and all roles in the access token.

To achieve my desired state, I have come up with the following procedure so far:

If possible I envision the following token content:

{
  "permissions": {
    "1234": [
      "Fibu_Kassenführer"
    ],
    "5678": [
      "Fibu_Admin"
    ]
  }
}

Do you have another, better idea on how to implement the use case?
And can you assist with a idea/code, how the group/permission mapping can be included in a token?
Thanks a lot for your ideas.

Best regards
Florian

By developing a custom mapper I could solve the problem.
If anyone has the same problem and would like to see the code, feel free to reach out.

Have you considered using Keycloak Authorization services and maybe the new Organization feature ? If you considered it but did not use it, could you tell why it wasn’t suitable for your needs ?

I might have to replace a legacy authorization system in some months, so I’d like to have some feedbacks from people who faced a similar problematic.

I didn’t consider the authorization services. But looking at the docs now, I still wouldn’t use it. The things holding me back: a) the configuration seems to be client specific, but I plan on using two clients for my two applications and b) the available configurations aren’t seeming to support my use case.

Regarding the new organization feature: I looked into it, after it was officially released with v26. The main features to have a separated login aren’t needed in my use case. One can be a member in multiple organizations and have different permissions/roles depend on the orga, this would be possible. So it looks like I could use the new feature, but I don’t see an advantage yet.