[keycloak-user] Clients purely for namespacing, makes sense?

[Geoffrey Cleaves]

Hi, looking for a little advise. I have a typical SPA front end and REST
API.

Each customer can have multiple users with different roles like admin or
user. It's conceivable for a single user to belong to two different
customer accounts.

Because a single user could be an admin to account A and only a user in
account B, I thought of using Keycloak clients for namespacing the roles. I
would create a disabled client for each account purely to namespace the
roles.

Make sense?

I believe I would continue to use a single public client for the SPA and
single bearer only client for the API resource server.

I've read that keycloak has issues with large numbers of clients, but I
only expect to reach a few hundred.