Update Keycloak Realm template

Recent Keycloak versions don't support custom mappers in individual
clients anymore.

To work around this issue, we instead patch the default `roles` client
scope to include the `local-dev` client roles in the `groups` field of
the ID and access tokens.

Author: simu

local-env/templates/realm.json.tpl

@@ -1013,6 +1013,21 @@
           "consentRequired": false,
           "config": {}
         },
+        {
+          "name": "client-role-groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String",
+            "usermodel.clientRoleMapping.clientId": "local-dev"
+          }
+        },
         {
           "name": "client roles",
           "protocol": "openid-connect",