I've got fine-grained authz permissions working for the admin console now. There's 4 roles associated with each realm (represented as an app in keycloak-admin realm). These allows users to manage the realm, clients, applications and/or users. The admin console has also been updated to only show the sections a user has permissions to (for example if a user can only manage-users the settings, applications and clients links are not shown). Obviously rest endpoints check for permissions as well. There's a few issues left that I'm working on: * Need to fix refresh in admin - I'm hoping to use refresh tokens for this * Admin needs to log out/log back in after creating realm - An admin (super) has access to all 4 roles for all realms. When a realm is created these roles are created as well, so the current token doesn't contain these roles. AuthenticationManager was starting to become quite messy, so I extracted methods specific to admin console and account into a separate AppAuthManager. The token in the cookies created for these didn't use to include roles, which I've added to make it simpler to check for permissions. If anyone wants to have a look at what I've got atm it's at: https://github.com/stianst/keycloak/tree/admin-access