I'm experimenting with role mappings among microservices & frontends (keycloak-clients in Keycloak terms).
Let's suppose I have two keycloak clients:
- routemanagement-api
- routemanagement-webapp
In the routemanagement-api I'd define some roles, let's say one of them: regular-user . This role is not composite role.
In the routemanagement-webapp, I'd define another role, also named regular-user. This is a composite role. I'd associate it with the "regular-role" user in the routemanagement-api.
Then, I create a user. Let's suppose this user registers through routemanagement-webapp. So, my registration logic will assign "routemanagement-webapp:regular-user" role to this newly created user.
Since "routemanagement-webapp:regular-user" is associated with "routemanagement-api:regular-user" role, calls to routemanagement-api REST endpoints will succeed.
You see, I don't need realm (upper-level) roles to make that happen. I can jump from one client to another client directly. I'd say my approach is a top-down approach; the frontend apps at the top, the apis at the bottom. I'm thinking of having separate webapp for provisioning users. User will be granted roles to "webapps" she is allowed to use. The correct permissions to use associated apis are handled in the keycloak UI, by those composite-roles trick.
What do you think of that approach? Is it a correct way of thinking? And what do we need realm roles for?