I am using KeyCloak for my SaaS for retail stores where a single user might have a different role based on the store they log in to, e.g.
Store A: - User A: OWNER - User B: CashierStore B: - User B: Owner...i.e., user B is a cashier at store A and an owner of store B. This means when they are working at store B they have different (more) permissions
I have been following the accepted answer on this post keycloak - give users different permissions per tenant / account where each store in the platform has it's own KeyCloak client. When the user logs into that client, the only the user's role for that client is returned in the token which can then be used by my app.
I have also created a public-client which is the default clientId for the app (Blazor WASM) so the user can perform the initial login and get the stores that the user is associated with from the backend API. The rationale for this was the browser does not know initially where the user is logging in from, and I would like that flexibility in my app to switch between clients.
Essentially, I am at the stage where I can get the initial JWT using the public client, but when I want to get a token provided by the store client (which contains the role at that store)
I'm a little stuck as to where to go from here, is there a particular way in KeyCloak to enable this? I have read a custom auth flow might be needed but unsure if this is the right start.
I have tried a couple of things to get this to work:
- Directing the user back to KeyCloak after selecting the store with the clientId associated with that store as a query parameter
- Adjusting the .NET services container while it's running but this does not seem to be possible.