Consider Keycloak resources for authorization instead of dynamically created roles

[mmurto]

As a warning, I'm not super deep in Keycloak. Nevertheless, the way ORT Server uses Keycloak's client roles dynamically (permission_organization_$ORGID_write etc.) seems unintuitive. What ORT Server wants to do is to protect resources (organizations, products etc.), and for that Keycloak has native functionality to manage resources, policies and permissions. To me this seems like a better fit than the current method of handling authorization. There have also been some reports where large number of roles has led to performance issues (though the specific prolem may have been solved in later releases), and with the current authorization model the role count grows very large.

What is the reason for going with these dynamic roles for authorization instead of Keycloak's resource authorization service?

[mnonnenmacher]

I totally agree with that. I wanted to look into resources since the initial implementation but never found the time.

@mmurto In the context of #504, do you know if the other auth providers you suggest there have similar features?