auth-keycloak: load roles from the new frontend user entity instead of the person

auth.person-id is now deprecated, auth.user-id should be used instead

auth.person is now deprecated and only contains a list of roles. There is good replacement
for this at this point.