How to include only client related roles in JWT?

When a user access on a client it receives a JWT as access token with all the roles of all the clients assigned to that user. Is there a way (using client scopes or something else) to include in the JWT only the roles belonging to the client the user is trying to sign in?

Here’s an example of the issued access token by client A:

...,
"resource_access": {
    "realm-management": {
      "roles": [
        "view-identity-providers",
        "view-realm",
        ...,
        "query-groups"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    },
    "client A": {
    "roles": [
        "some-role",
        "some-other-role"
    ]
},
...

But I don’t want all these roles, I just need those of client A. Is there a way to do it with client scopes?

I’m using Keycloak 25.0.0

Go to your Client → Client scopes → “…-dedicated” → “Scope” → Full scope allowed = off
Then, only the roles of the current client are contained in the token, if the user is assigned to them.

1 Like