Support for composite client role

[Sebastian-Gil-wcq]

Is your feature request related to a problem? Please describe. At the moment when I attempt to create a role using KeycloakRealmRoleBatch or KeycloakRealmRole I'm not able to use client roles (or I see no way how can I use them). Sample KC role config looks like:

        "id": "5bd3bcd6-d87d-48fb-88d5-18715e1165eb",
        "name": "wcq-api-client-mgmt",
        "description": "",
        "composite": true,
        "composites": {
          "client": {
            "realm-management": [
              "query-clients",
              "manage-users",
              "view-realm",
              "manage-clients"
            ]
          }
        },
        "clientRole": false,
        "containerId": "812b10c8-8e7d-4806-9eb2-675c565d7243",
        "attributes": {}
      },

This is the prerequisite for fine grained permission handling that can allow client to query/rotate its own secret.

Describe the solution you'd like I would like to have both: real roles and client roles to be used as a composite

Describe alternatives you've considered The only alternative is to do it manually in KC UI.

Additional context

[zmotso]

Hi @Sebastian-Gil-wcq. We currently don't support client roles in the KeycloakRealmRoleBatch or KeycloakRealmRole composite role. We accepted this feature and will implement it.

[elimaneg]

Awesome ! Will be waiting for its implementation.

[zmotso]

Done. The feature will be introduced at the nearest release. KeycloakRealmRole with client roles example:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmRole
metadata:
  name: keycloakrealmrole-sample
spec:
  description: developer role
  name: test-role
  realmRef:
    name: keycloakrealm-sample
    kind: KeycloakRealm
  composite: true
  composites:
    - name: offline_access
  compositesClientRoles:
    broker:
      - name: read-token
    account:
      - name: manage-account
      - name: view-profile