Resource_access claim missing from userinfo - until I change the name?

Hello all,

I just ran into the most peculiar issue. While debugging some OIDC client I ran a few manual requests on keycloak using curl. When I called the userinfo endpoint, I noticed there was no resource_access claim, despite it being in the client scopes, with the client roles -> add to user info turned on.

After a whole lot of trial and error and googling, I accidentally found out that if I change the claim name from resource_access.${client_id}.roles to ANYTHING ELSE, the claim IS included.

I changed it to resource_access2.{client_id}.roles, for instance, and it was instantly there. I changed it to resource_access.x.{client_id}.roles and it was there as well. Only with the claim name resource_access.${client_id}.roles does it not appear.

Did I stumble upon an obscure bug here, or am I missing something obvious?


Same here, we are using keycloak 7.3.0.GA with the same result.

If I change the claim name resource_access.${client_id}.roles the userinfo endpoint returns the claim, otherwise not.

I’ve tried different things like adding the “roles” scope to the access token, without success.

Did anyone made this work? Help is much appreciated :slight_smile:

This looks like a bug. Feel free to create JIRA. If you have a chance to
send PR with the fix, it will be even better :slight_smile:


I have the same issue with 9.0.0, with adding realm_access.roles to userinfo.

Has a JIRA issue been created already? I could give it a try and debug it.


Same issue here using keycloak 10

seems there is this jira :

1 Like