Hello all,
I just ran into the most peculiar issue. While debugging some OIDC client I ran a few manual requests on keycloak using curl. When I called the userinfo endpoint, I noticed there was no resource_access claim, despite it being in the client scopes, with the client roles -> add to user info turned on.
After a whole lot of trial and error and googling, I accidentally found out that if I change the claim name from resource_access.${client_id}.roles to ANYTHING ELSE, the claim IS included.
I changed it to resource_access2.{client_id}.roles, for instance, and it was instantly there. I changed it to resource_access.x.{client_id}.roles and it was there as well. Only with the claim name resource_access.${client_id}.roles does it not appear.
Did I stumble upon an obscure bug here, or am I missing something obvious?