I've updated the Namespaced Roles proposal to include some new use cases and changes.
The whole idea of this proposal is to enhance the way we define roles in Keycloak, adding a namespace that can be leveraged for different uses:
- They will be used to scope management roles to specific realms so Keycloak can avoid creating redundant clients whose only purpose is to group management roles together.
- They can also be used to define fine-grained permissions both for Keycloak internal management, and user defined roles.
- Another thing we wanted to allow was to assign a role in the context of an entity. With the current implementation, everyone in a group has the same role because it's inherited from the group. With the new implementation, a user can have a role per group which is different from the rest of users.
- Lastly, it will allow users to define their own roles hierarchy that matches their business needs and decide how to map them to token claims more easily.
I'm looking forward to getting some feedback from the community.