How are Keycloak roles managed?

Question

Keycloak is a great tool, but it lacks proper documentation.

So we have Realm.roles, Client.roles and User.roles

How do there 3 work together when accessing an a

Answer 1

In KeyCloak we have those 3 roles:

1. Realm Role
2. Client Role
3. Composite Role

There are no User Roles in KeyCloak. You most likely confused that with User Role Mapping, which is basically mapping a role (realm, client, or composite) to the specific user

In order to find out how these roles actually work, let's first take a look at a simple Realm model I created. As you can see in picture below, every Realm has one or multiple Clients. And every Client can have multiple Users attached to it.

Now from this it should be easy to conclude how role mappings work.

Realm Role: It is a global role, belonging to that specific realm. You can access it from any client and map to any user. Ex Role: 'Global Admin, Admin'

Client Role: It is a role which belongs only to that specific client. You cannot access that role from a different client. You can only map it to the Users from that client. Ex Roles: 'Employee, Customer'

Composite Role: It is a role that has one or more roles (realm or client ones) associated to it.