Add AUTH_ROLES_MAPPING support using Keycloak OAuth

[tp-jssk]

AUTH_ROLES_MAPPING is not currently not support using the Keycloak provider.

Mimicking what has been done for Azure, it seems we would need to add a single line of code ("role_keys": me.get("roles", []),) in the return dictionary for the provider Keycloak located here:

https://github.com/dpgaspar/Flask-AppBuilder/blob/dcb32c78e6baacb5685843a1e33de4aab9171b80/flask_appbuilder/security/manager.py#L655

[Hokwang]

I think it is same with okta, add one line. "role_keys": data.get("groups", []),

@nilivingston can you help?

[fedepad]

The access token returned by Keycloak can contain client roles and if no action on Keycloak config side is taken (changing the key name from which to retrieve the roles, e.g. to "roles" from the default resource_access.$client_id.roles), usually client roles are available at ["resource_access"]["some_keycloak_client_id"]["roles"], not at "roles" key, so the above won't work. If this change needs to be done, it should be accompanied by the related Keycloak necessary setup; but might not be possible for everyone to make this change or maybe someone wants to call that key in another name or keep the default.

On the other hand, one can overwrite the method get_oauth_user_info and include roles_keys, whatever they are for the given Keycloak setup and plugin this new FAB security manager class (F.A.B. addon) to retrieve roles either if they are present in "roles" key at the root level or atresource_access.$client_id.roles.