[keycloak-user] Setup of role model with two layers in keycloak

[Sven Voigt]

Hello there!

I'm part of a frontend project and I need some help to bring our 
authorization model into keycloak. We're building on node.js and the 
whole project uses stateless micro services - both in our frontend 
middleware and for the whole backend services we use. The frontend uses 
the standard JS adapter for session and token management.

So far we have identified four roles: travel agent, back office, 
configurator and data security officer. That's easy so far. My problem 
is how to model the next authorization layer we need.

For example: For the travel agents we want to be able to grant per 
person whether he can see specific customer data or is able to cancel 
orders. There are about 6-8 options for the travel agents. Thus, for the 
back office there shall be options for stock operations or different 
views on orders and so on.

Like the backend we don't persist any data! That's why I have store all 
the things in keycloak and find a way to easily bring these information 
back to our middleware.

Here's what I tried / thought of so far:
* Use groups for the first layer and roles for the second one. --> 
doesn't work because the groups don't get exposed in the token.
* Use realm roles for the upper and attributes for the lower hierarchy. 
--> attributes are not included in the access token.
* Use realm roles for the upper and client roles on the lower hierarchy. 
--> works, but we have to make sure that roles on the second layer are 
definitely associated with only one role on the first layer. I don't 
know how yet.
* Use roles for the first layer and resources on the second one. --> 
That seems to get very close to what we need. But at the moment I can't 
figure out the correct approach with all these policies and 
permissions...

Thanks for any help and please let me know, if I shall provide some 
further information.

Sven