Necroing a topic 5 years later. Has anything been done in regard to https://issues.redhat.com/browse/KEYCLOAK-1720 ?
Right now you can either use resource roles or realm roles from the token to validate against @RolesAllowed. This is fundamentally a JakartaEE restriction because it does not know any difference between source of the roles and this is therefore a security issue (user could get a realm role from a client role if they happen to be named the same). Is there anything to be done on the Keycloak side at all? It seems to me this should actually be resolved in JakartaEE Security(?) by expanding the annotation with some kind of namespacing of roles. Would JakartaEE Security specification be the appropriate place to further this discussion?
Validating against both roles seems like an important aspect to me because usually you will have a realm level “user” role and then give specific roles for each client. As soon as you enable resource based roles you lose valuable realm information.