Hi ,
I have recently updated Keycloak to 26.1.0, from version 25 it looks like now Keycloak supports multiple organizations per user account.
The UI and functionality look great.
Until now, I have been assigning realm roles (admin, manager, auditor, etc.), and at first glance, everything seemed fine.
Here is where my uncertainty arises: Previously, users were assigned to only one realm and were, for example, the admin or manager for a specific organization. However, now the JWT token may contain more than one organization.
This introduces complexity in my application’s logic when a user is an admin in one organization but just a regular user in another.
I would like to know the recommended way to distinguish(setup) the role sets for each organization in Keycloak.
Sample JWT to clarify my integration
{
"exp": 1737179238,
"iat": 1737150438,
"jti": "6b92fbc3-3005-4d7f-960d-e08c6e4bb45d",
"iss": "https://some-domain.com",
"aud": "account",
"sub": "d019f228-2469-4cdd-b086-4c3cd5fe3aef",
"typ": "Bearer",
"azp": "backend",
"sid": "e9c9254c-5b59-4a8e-b90a-7766ef1b25d1",
"acr": "1",
"realm_access": {
"roles": [
"admin",
"manager",
"offline_access",
"uma_authorization"
]
},
"scope": "openid organization:* profile email",
"organizations": {
"organization-one": {
"id": "eb8e50f0-7e88-4da7-9a49-b8e33e19e0d8"
},
"organization-two": {
"id": "4d37de35-f388-4c81-bdff-c41d67de66e5"
}
},
"name": "Admin User",
"preferred_username": "Admin User",
"given_name": "Admin",
"family_name": "User"
}