I have configured OAuth2 and Keycloak analog for authorization using Microsoft Active Directory. It works. The user role is assigned to all users during authorization by default. I want to configure role mapping for users based on which domain group they are in. For example, so that some users get the user role and others get the moderator or admin role. Could you please advise me where I should start?