KeyCloak - How to add Role's attribute into a user JWT (Access Token)?
I’m trying to figure out how to add role attributes into a JWT token (Access Token).
I created a new Role named “Manager” with an attribute named “Actions”.
Then I defined a new Client Scope named “Actions” with a mapper named “Actions” that map a user attribute named “actions” into the token.
Then I took a client we have named “API” and added this client scoper as a default one.
Finally, I created a new user and gave him the Manager role.
Now, since this user is for the “Manager” role, and the role was defined with an attribute named “actions” I expected that the user will get those attributes as well and therefore when getting an access token from the API client those will appear in the JWT(AT).
but it doesn’t work.
If I do the same things but with a group (creating a group with attributes and giving the user this group) everything works fine.
Is this by design or am I doing something wrong?
i tried to create both user Attribute mapper and cliet role mappers with no luck.
Is this by design or am I doing something wrong?
Your rational was good. Unfortunately, the problem is that Keycloak does not consider the role attributes to be user attributes. Consequently, your mapper of "user attribute" type has no effect. Hence, nothing is added to the JWT token.
Currently, there is an open feature in the Keycloak GitHub repo to handle this situation. Have a look at [KEYCLOAK-17418] Should role attributes be made available as user attributes.
As a "workaround" there are answers (e.g., here and here) on stack overflow that implements this Mapper through the use of Keycloak Script Mapper feature.
Another, better approach IMO, would be for you to create the Mapper by extending the Keycloak code via its Service Provider Interfaces mechanism. Here is an example of this approach. You can use the code displayed on aforementioned SO answers that use the script Mapper to infer the java code from it.
- Keycloak + SPA as client (Vue) + Spring Cloud Gateway as resource server + Spring Boot Microservices
- Use Keycloak Spring Adapter with Spring Boot 3
- KeyCloak - How to add Role's attribute into a user JWT (Access Token)?
- Keycloak - Client Roles - Retrieve custom attributes
- Configure Keycloak OTP via Administration REST API
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Keycloak: Not able to load admin GUI/console
- Keycloak retrieve custom attributes to KeycloakPrincipal
- Keycloak SSL setup using docker image
- How to change keycloak jvm arguments via CLI in standalone configuration
- Logout from next-auth with keycloak provider not works
- Cannot find module 'keycloak-js/authz' while import with TypeScript
- How to bypass keycloak login page and provide client suggested idp with spring security
- Keycloak Custom message on user temporary lock
- Angular - Spring Boot - Keycloak - 401 Error
- Spring Security + Keycloak (with self signed certs) - How do you disable hostname verification?
- Keycloak, not returning access token if update password action selected
- Keycloack Custom Identity provider
- Keycloak lost admin password
- How to make keycloak sessions survive server restarts or upgrades?
- How can I authenticate using the token exchange grant type for impersonation with spring boot and keycloak?
- Keycloak Realm VS Keycloak Client
- retrieve google refresh token in keycloak
- Request header field sentry-trace is not allowed by Access-Control-Allow-Headers in preflight response
- What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?
- Keycloak and Spring Boot web app in dockerized environment
- NuxtJS + keycloak-js: frontend doesn't render the correct value
- Keycloak admin console loading indefinitely
- Keycloak SPI to update password with condition