I have a client B with a set of roles B1, B2 defined which are assigned to users or are not.
I have a client A from which the user is getting a token. The backend client A makes requests against client B with the access token of the user so it wants the client B to be in the audience of the access token.
What i want to achieve:
- The client B is always in the audience of an access_token issued by client A
- The roles a user has for client B are in the resource_access.B.roles
Sounds easy but i am struggling. What i tried so far:
-
I create a client_scope a_b with two token mappers
- one audience mapper which adds audience B
- one user client role mapper which is supposed to add the client roles of client B but somehow does work or needs to be used correctly.
-
I assigned the client_scope a_b to client A as default. When i request a token via A, i see that the audience B is correctly added to the access_token but the roles of B are not visible.
-
I got it barely working by using “role scope mapping” in the client scope. But this lead to the case the scope was not allowed to be used if the user has no role. But then i still want the client in the audience. And i would prefer not to manually have to add new roles to the “role scope mapping” over time.
-
I dont want to use full scope allowed.
Many thanks for your help!