Yes, a very typical question indeed.
We had a similar use case with two more constraints. The organization
was a 3-level tree of contexts and every context exposed the same set of
roles.
A user may be in any of the levels having any combination of the roles
with no automatic hierarchical relationships.
We were not allowed to use multiple semantics for groups (contexts and
roles) as suggested by Garth because groups were needed in order to bind
to a pre-existing LDAP instance which had to be preserved for legacy
purposes. Thus groups correspond only to contexts but not roles.
Access to the infrastructures is granted through specific applications
called gateways which are orthogonal to contexts and may group together
access to different contexts.
The way we solved this is the following:
1) register one public client for every gateway (few) - lets call them
gateway clients
2) register one confidential client for every context (several dozens) -
let's call them context clients
3) create set of client roles for every context client (ten)
4) create a group tree reflecting the context tree and map to every
group the least powerful role of the corresponding context being
"Member" in this way a user belonging to a group is granted necessarily
at least the role Member of that context.
5) Grant access from a gateway through standard OIDC flow with
correspoding gateway client. Access Token with full scope carries, for
the identified user, all roles for every context.
6) Use the set of roles to allow the user to select the context he/she
wants to operate in.
7) Once the user selects a context, request an RPT (following UMA flow)
for the according context client. RPT doesn't have full scope. Thus it
carries only the permission for the user to access the Default Resource
of that specific context client.
8) Use this RPT to call backend services.
PROS: the model covers all the tricky requirements but still looks sound
to us. Every call to backend service carries only the required
information (user identity and context).
CONS: It is rather complex and thus required a significant effort in
order to automate all workflows for setup, provisioning and maintenance.
Hope that this is somehow useful and most importantly I'd like to have a
feedback on this.
Thanks,
Marco.