it's been a while since we discussed this but I thought I'd add my question to this thread since it is related. I'm now looking into authorizing requests based on domain specific permissions.
Here's the use case:
For example, if the URL is '/my-app/1/some-resource', we need to check whether the user has an account in 'my-app 1' (which is an entry in the applications database) and add the respective roles (also from the applications database), if the URL is /my-app/2/... the same needs to happen for 'my-app 2' etc.
The idea would be to add some kind of security interceptor which extracts the keycloak user id, matches the id to the domain user (user from e.g. my-app 1), and adds the role mapping of the domain user. Since we'd like to continue using the EJB annotations (RolesAllowed etc.), we'd need to make sure those domain users' roles are propagated to the security context.
So the question is, would you recommend extending the keycloak login module? Or can you think of an easier way like e.g. a web filter?
My question is whether to extend the wildfly adapter (KeycloakLoginModule) or to