SPI Question: Missing Client from resource_access

Hi,

I’m on Keycloak 18.

I’m successfully getting a token from the http://localhost:8080/realms/jdbcrealm/protocol/openid-connect/token endpoint. However, it seems to be missing some client roles. When I go to the Generated Access Token tab for the user, I get this

  "resource_access": {
    "realm-management": {
      "roles": [
        "query-users"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  }

But when I print out the generated token from the web service call, I get this

"resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  }

It’s missing the info from the realm-management client.

My configuration is the out-of-the-box realm-management and a client that I created with the public/direct access for use in ReadyAPI. I’m using my created client as the client ID in the /token call.

Thanks,
Carl

This is probably related to a custom User Storage Federation SPI that I’m working on. I haven’t been able to reproduce with a non-federated user and client.

It seems like I’m missing the clientRoleMappings. I tried a few forms of the User Adapter that rely on the super class methods but the generated token only as the “account” resource_access.