Oauth2 access level

Hi, I am tasked with deploying and configuring a GitLab instance on AWS using Terraform and Ansible and there is one more step I would like to do: get access level (regular user vs admin) from SSO/Keycloak. I have already configured it to use our SSO for auth, now I was wondering if there is an automated way of obtaining access level from SSO/Keycloak? Here is the provider info I place in the gitlab.rb config file:

gitlab_rails['omniauth_providers'] = [
            'name' => 'oauth2_generic',
            'app_id' => 'gitlab',
            'app_secret' => "${SECRET}",
            'args' => {
            client_options: {
                    'site' => 'http://SSO_URL.com', # including port if necessary
                    'user_info_url' => '/auth/realms/master/protocol/openid-connect/userinfo',
                    'authorize_url' => '/auth/realms/master/protocol/openid-connect/auth',
                    'token_url' => '/auth/realms/master/protocol/openid-connect/token',
            user_response_structure: {
                #root_path: ['user'], # i.e. if attributes are returned in JsonAPI format (in a 'user' node nested under a 'data' node)
                attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username'
                id_path: 'preferred_username'

My thoughts were to create a Role Mapper in Keycloak and add that in the attributes key above.

Hi. As far as I know from the GitLab docs this is not possible with oauth and/or the openconnect id provider. The SAML provider (also supported by keycloak) has at least somewhat of support for role mapping cf. (https://docs.gitlab.com/ee/integration/saml.html). However this is limited to the paid versions of GitLab (at least the ‘Starter’ subscription is necessary).

Also take into consideration that even if you use external authentication it might not always behave as expected. E.g. at the point when users use ssh-keys for interacting with their repository it seems that GitLab doesn’t cross-check with the Identity Provider if the user is active. This means that you actively and separately have to remove/deactivate users that should not have the rights to access GitLab anymore inside GitLab, c.f. https://forum.gitlab.com/t/interaction-of-external-oidc-and-ssh-clone-push/45579