Mapper for client roles with multivalued disabled, still sets the value as an array

Please refer to the two images below.

I am integrating Keycloak with Hasura. It expects a value x-hasura-default-role to be (in my case) ‘tenant_admin’ or ‘tenant_user’, which will be assigned from a Client Role.

So as per the tooltip on the multivalued option, I specify that the value I want is not multivalued, expecting it will take the first role assigned to the user from the Client Roles. So why is the resulting value wrapped in ‘[’ ‘]’ when it is not multivalued? Refer x-hasura-default-role: “[tenant_admin]”.

This causes my authorisation to fail with Hasura.

Any advice would be most welcome.

I would try to switch Claim JSON Type to JSON.

Many thanks for the suggestion.

Doing so appears to cause a 500 error accessing the token endpoint.

Just to see if a valid token would be formed I changed the value from STRING to JSON, but I suspect even if this had worked, Hasura would not then correctly interpret this value as it expect just the name of a role as plain text.

But here is my Keycloak config showing JSON is selected, and the resultant 500 error which seems to occur when the token endpoint is called.

You are mixing mapper types.

I just followed your suggestion ('I would try to switch Claim JSON Type to JSON')?

What do I specifically have to do? I have no control over the type of the input that Keycloak provides to this mapper. The only control I appear to have is the drop drop selection of Claim JSON Type.

What do you suggest, can you elaborate further please?

Thanks.

Hi Does anybody else have any suggestions on this please?

In your second screenshot, you changed not only the claim return type from string to JSON, but also changed the mapper type from “User Client Role” to “User Attribute”. Maybe this causes the problems with the 500 error.

Ah good point, I’ll go back and check

Ok here is a side by side comparison which shows the problems with the suggestions offered so far…

In the image below we see a mapper which is intended to return the first client role assigned to the authenticating user.

When the claim type is set to JSON an unknown error is returned when calling the token endpoint.

Further, I don’t believe this is a viable solution as at best, wouldn’t we get a JSON object inserted into the token, when actually, what is required is the name of the first client role without any further adornments, i.e. no enclosing brackets.

Next, the closest I can get is to use the STRING claim type, but this wraps the name of the first client role in brackets. This has to be viewed as a bug, because the user interface clearly indicates it is not a multivalued result. When ‘Multivalued’ is toggled off, this means “get me the first value”, so singular is implicit. Providing a value typed as an array would be deemed invalid.

My target system will not accept the role wrapped in , I have to find a way to get this from keycloak as just the_role not [ the_role ].

Thanks for your patience in reading this. It’s killing me at the minute :expressionless:

Have you tried not to nest the mappers within your “http://hasura…” claim?

The claim has to be provided as is. I assume because that’s how Hasura looks for the different parts of the token it needs.

But never mind, this looks like another known issue nobody has time to fix.
Thanks for the inputs.

https://issues.redhat.com/browse/KEYCLOAK-17909?jql=text%20~%20"user%20client%20role%20mapper"

Having the exact same issue with the the userId =sAMAccountname attribute in keycloak 19. In previous versions that problem did not occur (keycloak 15). Any workarounds in the meantime? Thanks!