Realm Group Roles in userinfo endpoint (v25.0.0)

ndtreviv · June 23, 2024, 11:06am

I created a Realm.
In the Realm I created a Client
In the Client I created two roles, let’s call them Admin and Worker.
In the Realm I created two groups - an Admin group with the Admin role, and a Worker group with the Worker role.
I created a user and assigned them to both groups, so they should have both Client roles.

I created a Client Scope: “openid”, made sure it was active for the userinfo and access token endpoints, and gave it a User Client Role mapper. I added made sure that the openid scope was enabled as Default for the Client I had created.

I’m authenticating against Keycloak using spring security (v6.2).
When it auths it gets a USER_ OPENID token which has all the various claims, but no mention of the roles I assigned to that user via the groups.

What am I doing wrong? Do group roles (albeit Client Roles) not get mapped using the User Client Role mapping?

ndtreviv · June 24, 2024, 8:47am

Turns out adding the openid client scope does diddly squat.
What I actually needed to do was go to the existing “roles” Client scope, enable it for the token scope and change the client roles mapper for it so that it was enabled for the userinfo endpoint.

Topic		Replies	Views
User Realm Role in OIDC userinfo endpoint Configuring the server client-configuration , oidc	2	2342	November 2, 2021
Keycloak - Missing data in the userinfo response Getting advice authentication , oidc	2	2633	June 17, 2023
Group Membership associated with single client role? Getting advice	0	17	September 16, 2024
Missing realm roles in access token Getting advice oidc	1	6389	October 19, 2023
How to create a new Group with realmRoles mapping Configuring the server	2	26	August 26, 2024

Realm Group Roles in userinfo endpoint (v25.0.0)

Related Topics