I need to integrate an external system to federate users into Keycloak. That all works fine for the authentication part.
But I have problems integrating roles and groups stored in the external systems. I tried to due it by implementing getGroupsInternal() and getRoleMappingsInternal() on the UserModel. The problem is, that they don’t get propagated to the access token when doing OIDC with Keycloak. The roles and groups claims are part of the token, but the roles and groups of the external system are not part of the values in the access token.
Is it possible at all to propagate roles and groups with a user storage SPI or is the idea to manage the roles and groups in Keycloak directly? If it is possible, can anybody point me to an example how it should be done or knows why my roles and groups are not part of the access token?
Thanks a lot for your help!