Keycloak - Assigning role per tenant

I am using KeyCloak for my SaaS for retail stores where a single user might have a different role based on the store they log in to, e.g.

Store A:
  - User A: OWNER
  - User B: Cashier
Store B:
  - User B: Owner

...

i.e., user B is a cashier at store A and an owner of store B. This means when they are working at store B they have different (more) permissions

I have been following the accepted answer on this post keycloak - give users different permissions per tenant / account where each store in the platform has it's own KeyCloak client. When the user logs into that client, the only the user's role for that client is returned in the token which can then be used by my app.

I have also created a public-client which is the default clientId for the app (Blazor WASM) so the user can perform the initial login and get the stores that the user is associated with from the backend API. The rationale for this was the browser does not know initially where the user is logging in from, and I would like that flexibility in my app to switch between clients.

Essentially, I am at the stage where I can get the initial JWT using the public client, but when I want to get a token provided by the store client (which contains the role at that store)

I'm a little stuck as to where to go from here, is there a particular way in KeyCloak to enable this? I have read a custom auth flow might be needed but unsure if this is the right start.

I have tried a couple of things to get this to work:

• Directing the user back to KeyCloak after selecting the store with the clientId associated with that store as a query parameter
• Adjusting the .NET services container while it's running but this does not seem to be possible.

I have figured out a way (from the KeyCloak side at least) on how to do this.

KeyCloak config

Within Keycloak I have two main tenants to use:

• confidential-client (for the backend API to talk to Keycloak)
• public-client for the web app

To achieve the desired role structure I am using a combination of client roles and user groups. For each store:

1. Create a client for that represents that store (don't need to assign authentication flows)
   • Create the roles at that store as Client Roles
2. Create a group for that store with sub-groups that represent the groups
   • Configure the role mapping from the client roles to that group role
   • Assign the users for that role
3. Ensure that the public client maps the client roles

This will produce a JWT that has the role at each store associated with the user.

.NET config

Once the user has logged in through the Keycloak provider:

• route them to a page to select which store they are logged in at
• This sends a request to the API which, if the user has permission at that store, a secure cookie is placed in the browser representing the selected store
• In .NET create a custom IClaimsTransformation that checks if the selected store is passed in as a cookie and if so, gets the users role for that store specifically and maps it to a ClaimType.Role on the ClaimsIdentity

With regards to the Blazor WASM side, that is something I am trying to work out now.