Organization and realm roles (ACL)

Hi :wave:,

I have recently updated Keycloak to 26.1.0, from version 25 it looks like now Keycloak supports multiple organizations per user account.
The UI and functionality look great.

Until now, I have been assigning realm roles (admin, manager, auditor, etc.), and at first glance, everything seemed fine.

Here is where my uncertainty arises: Previously, users were assigned to only one realm and were, for example, the admin or manager for a specific organization. However, now the JWT token may contain more than one organization.

This introduces complexity in my application’s logic when a user is an admin in one organization but just a regular user in another.

I would like to know the recommended way to distinguish(setup) the role sets for each organization in Keycloak. :thinking:

Sample JWT to clarify my integration

{
  "exp": 1737179238,
  "iat": 1737150438,
  "jti": "6b92fbc3-3005-4d7f-960d-e08c6e4bb45d",
  "iss": "https://some-domain.com",
  "aud": "account",
  "sub": "d019f228-2469-4cdd-b086-4c3cd5fe3aef",
  "typ": "Bearer",
  "azp": "backend",
  "sid": "e9c9254c-5b59-4a8e-b90a-7766ef1b25d1",
  "acr": "1",
  "realm_access": {
    "roles": [
      "admin",
      "manager",
      "offline_access",
      "uma_authorization"
    ]
  },
  "scope": "openid organization:* profile email",
  "organizations": {
    "organization-one": {
      "id": "eb8e50f0-7e88-4da7-9a49-b8e33e19e0d8"
    },
    "organization-two": {
      "id": "4d37de35-f388-4c81-bdff-c41d67de66e5"
    }
  },
  "name": "Admin User",
  "preferred_username": "Admin User",
  "given_name": "Admin",
  "family_name": "User"
}

This is the first step of the Organization feature. There are many pending features on the roadmap [1].

[1] Keycloak Organizations · Issue #30180 · keycloak/keycloak · GitHub