I've ran KeyCloak in Docker:
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:22.0.1 start-dev
Then created realm dialog-test and client non-commercial-purchase-public. Now I need to get admin token:
curl --location --request POST 'http://localhost:8080/realms/dialog-test/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=oCPory1e8KD8xjNlmDSOClKo0I9CNipu' \
--data-urlencode 'grant_type=client_credentials'
But response does not contain resource_access key (I need the key because lib fastapi-keycloak requires it):
{
"exp": 1692114608,
"iat": 1692114308,
"jti": "01aae75e-7145-4790-b076-390fde8eb93c",
"iss": "http://localhost:8080/realms/dialog-test",
"sub": "5b2933cb-3dd9-43b7-8890-a1e9d523a08b",
"typ": "Bearer",
"azp": "admin-cli",
"acr": "1",
# "resource_access": {"realm-management": "...", "account": "..."} <<- does not returned. I could see only "admin-cli"
"scope": "profile email",
"email_verified": false,
"clientHost": "172.17.0.1",
"preferred_username": "service-account-admin-cli",
"clientAddress": "172.17.0.1",
"client_id": "admin-cli"
}
How to add it?
Roles are usually mapped to the access_token by default(via the roles client scope mapper).
For each client, the role scope mapping options in keycloak allow you to configure which roles are mapped to the access token e.g all assigned roles of the user (Full scope allowed=ON) or you can customise the selection yourself(Full scope allowed=OFF).
When using a service account to get a token(grant_type=client_credentials) for a client you should to set Full Scope Allowed to ON for that client so that all roles assigned to the built-in "service user" for the client are mapped to the token.