Keycloak-operator KubeClient Groups mapper example

kfox1111 · August 20, 2021, 3:55pm

Does anyone have an example of a Kubernetes kind: KeycloakClient object that configures the client to add the keycloak groups into the “groups” field of the ID token?

vmuzikar · August 23, 2021, 9:09am

Hi, it should be possible using mappers, see Client CRD. The config in the CRs mimics the REST API, so I’d suggest to try to configure it at first using the Admin Console, watch the browser dev console for the REST API requests to see how exactly the configuration is supposed to look, and then configure it in the same way in the CR.

kfox1111 · August 24, 2021, 7:30pm

For the record, using @vmuzikar’s help, this is an example of how to do it:

protocolMappers:
- name: groups
  id: 9a1c47d4-1e01-4ed2-9b38-e08ed7d22daa
  protocol: openid-connect
  protocolMapper: oidc-group-membership-mapper
  consentRequired: false
  config:
    "full.path": "true"
    "id.token.claim": "true"
    "access.token.claim": "true"
    "userinfo.token.claim": "true"
    "claim.name": groups

Topic		Replies	Views
Keycloak regex mappers Getting advice	1	762	February 13, 2023
How to use mapper type "key to role" in keycloak authentication , identity-brokering , oidc	0	358	January 21, 2021
Keycloak Rest API - Bug with IDP Mapper Creation Getting advice admin-rest	3	175	January 9, 2024
"Claim to User Group" Mapper Getting advice authentication , identity-brokering , oidc	3	2298	June 8, 2021
Keycloak Login and User Model with custom data from external REST API Getting advice authentication , user-federation , oidc	2	3940	April 28, 2022

Keycloak-operator KubeClient Groups mapper example

Related Topics