I have figured out a way (from the KeyCloak side at least) on how to do this.

KeyCloak config

Within Keycloak I have two main tenants to use:

• confidential-client (for the backend API to talk to Keycloak)
• public-client for the web app

To achieve the desired role structure I am using a combination of client roles and user groups. For each store:

1. Create a client for that represents that store (don't need to assign authentication flows)
   • Create the roles at that store as Client Roles
2. Create a group for that store with sub-groups that represent the groups
   • Configure the role mapping from the client roles to that group role
   • Assign the users for that role
3. Ensure that the public client maps the client roles

This will produce a JWT that has the role at each store associated with the user.

.NET config

Once the user has logged in through the Keycloak provider:

• route them to a page to select which store they are logged in at
• This sends a request to the API which, if the user has permission at that store, a secure cookie is placed in the browser representing the selected store
• In .NET create a custom IClaimsTransformation that checks if the selected store is passed in as a cookie and if so, gets the users role for that store specifically and maps it to a ClaimType.Role on the ClaimsIdentity

With regards to the Blazor WASM side, that is something I am trying to work out now.