Keycloak - Is it possible to map composite roles and their attributes to the access token?

What I am trying to accomplish is a way to map the composite roles(and their attributes), as well as their “child” roles to the access token in order to use that data.

I only see the user attribute mapper in keycloak admin console but for the role attribute I see none. Also, how do we maintain the structure/granuality of the composite roles, in order to check which roles they have aggregated?

The main idea is to have something like this:

User -> (Composite Roles with several attributes -> Roles)

I have also tried to get the information that I need this way but without success, as it throws an http 403 Forbidden exception when trying to get the realmResource.toRepresentation.

After searching, I believe that is not possible to do those type of requests, only the get ones, right?

What I was doing:

            > RealmResource realmResource = keycloak().realm(keycloakRealm);
>             if (realmResource != null) {
>                 List<RoleRepresentation> rolesRepresentationList= realmResource.toRepresentation().getRoles().getRealm();
>                 for (RoleRepresentation rolesRepresentation : rolesRepresentationList) {
>                     Composites composites = rolesRepresentation.getComposites();
>                     Map<String, List<String>> attributes = rolesRepresentation.getAttributes();
>                 }
>             }
> ```

If is not possible to do using this approach ( *User -> (Composite Roles with several attributes -> Roles*) ), do you guys have any suggestion or alternative approach?

The ideia is to map this into the access token, but I am finding it difficult to have this structure in place in the token

Thanks

*Note: I need to integrate with Azure AD so it would be nice if the approach was compatible with it's limitations*
1 Like