### Before reporting an issue
- [X] I have read and understood the above term…s for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
### Area
organizations
### Describe the bug
First, I do have "organization:*" in my scope.
I use an OAuth2 client (remix-auth-oauth2) to authenticate like this :
```
let strategy = new OAuth2Strategy(
{
clientId: OAUTH_CLIENT_ID,
clientSecret: OAUTH_CLIENT_SECRET,
authorizationEndpoint: OAUTH_AUTH_ENDPOINT,
tokenEndpoint: OAUTH_TOKEN_ENDPOINT,
redirectURI: `http://localhost:5173${paths.callbacks.login}`,
tokenRevocationEndpoint: OAUTH_REVOCATION_ENDPOINT,
scopes: ["openid", "organization:*"],
},
async ({ tokens, request }) => {
// here you can use the params above to get the user and return it
// what you do inside this and how you find the user is up to you
return await getUser(tokens, request);
}
))
```
I tried to change the client, same behavior:
The organization claim is inconsistently included in the JWT token returned by Keycloak, even when using the same scope parameters. This behavior is intermittent and does not follow a predictable pattern.
most of the time:
```
{
exp: 1732640581,
iat: 1732640281,
auth_time: 1732640281,
jti: 'something',
iss: 'http://localhost:8080/realms/test2',
aud: 'account',
sub: 'something',
typ: 'Bearer',
azp: 'something',
sid: 'something',
acr: '1',
'allowed-origins': [ 'http://localhost:5173' ],
realm_access: {
roles: [ 'offline_access', 'default-roles-test2', 'uma_authorization' ]
},
resource_access: { account: { roles: [Array] } },
scope: 'openid organization:* email profile organization',
email_verified: true,
organization: {
test2: { id: 'something' },
test3: { id: 'something' },
test: {
something: [Array],
something2: [Array],
id: 'something'
}
},
name: 'First Last',
preferred_username: 'test',
given_name: 'First',
family_name: 'Last',
email: 'test@example.com'
}
```
Sometimes:
```
{
exp: 1732640594,
iat: 1732640294,
auth_time: 1732640294,
jti: 'something',
iss: 'http://localhost:8080/realms/test2',
aud: 'account',
sub: 'something',
typ: 'Bearer',
azp: 'nest-app',
sid: 'something',
acr: '1',
'allowed-origins': [ 'http://localhost:5173' ],
realm_access: {
roles: [ 'offline_access', 'default-roles-test2', 'uma_authorization' ]
},
resource_access: { account: { roles: [Array] } },
scope: 'openid email profile organization organization:*',
email_verified: true,
name: 'First Last',
preferred_username: 'test',
given_name: 'First',
family_name: 'Last',
email: 'test@example.com'
}
```
It appears really randomly, like one time out of 20.
The only things who seem to be different is the order in scope :
- For working requests : `'openid organization:* email profile organization'`
- For non working requests: `'openid email profile organization organization:*'`
Thanks a lot for your help ! :)
### Version
26.0.0
### Regression
- [ ] The issue is a regression
### Expected behavior
The organization claim should consistently appear in the JWT token if the request and configuration are unchanged and good scope.
### Actual behavior
The organization claim appears intermittently in the response token, even when the request and Keycloak configuration remain the same.
### How to Reproduce?
see above
### Anything else?
_No response_