We have many microservices each of which may have up to 100 or more roles. When the user logs into the UI the token contains all the realm roles as well as the client roles the user has access to.
I have read many articles that having this amount of roles is not right but we can’t do anything at this stage and our system has been going on for a while.
Now, I know how to remove client roles from the access token by modifying Client Scopes > roles > client roles but if you do so, on the backend the Spring adapter fails with an error
{"error":"invalid_scope","error_description":"Requires uma_protection scope."}
Then I tried to include uma_protection role from that client in a composite realm role and map my user map to that realm role but still no luck (note that the realm roles are still appearing in the token)
Then next I added a new mapper in Client Scope > roles > Mapper and added uma_protection as hardcoded role for that client but now the error is different:
{"error":"access_denied","error_description":"not_authorized"}
What I don’t understand is that if Spring adapter tries to get RPT token why is the result different? How does it know that I meddle with the token because ultimately it gets the right scope from the Keycloak server.
Can anyone please help me to solve this issue. Have I missed anything? Any configuration I haven’t done?
Thanks