Keycloak: Include the roles of requested scopes in generated tokens

Question

I am currently experimenting with Keycloak as OICD/OAuth provider and planned to use it for authorization based on roles in my application. For that I need the roles to apply for a session to be contained in generated access tokens.

My plan was the following:

• Define scopes that have roles assigned
• Add the scopes as optional scopes to my application/client in Keycloak
• Add the effective roles to the generated access tokens using the builtin “roles” scope (with its mapper) as default for the client
• Expect the value of the relevant “roles” claim in the generated access token to equal the roles assigned to the scopes that have been requested at login

So far it’s all possible except that the interesting “roles” claim in generated access tokens contains all roles of the user and not only the roles that are assigned to the requested scopes.

So my question is:

• Is it possible to have a “roles” claim in generated tokens that only contains the roles that can be resolved from the requested scopes?

Example:

We have the following scope-role-mappings:

scope	roles
read	r_read
write	r_write

And a user with the roles “r_read” and “r_write”.

When the user logs in with the “read” scope requested I would expect that the “roles” array in the generated access token only contains the “r_read” role. Instead it currently also contains the “r_write” role.

Update:

After some more digging I think I was mislead by the documentation of the "Scope"-Tab in the "Client Scopes" detail-Configuration (or misunderstood it):

Scope mappings allow you to restrict which user role mappings are included within the access token requested by the client.

The assigned roles set there only control which role is required so that the scope can be applied/added to the scope claim of the access token.

The possibilities I currently see are:

• Just try to make a 1:1 mapping of roles to scopes and use the applied scopes for authorization (see if that is practical)
• Take a look into writing my own mapper that resolves scopes to roles (see if that's even possible by using public APIs and without compromising on performance)
• Dismiss the idea of "rights as requested at login" and just look at the user roles
  • and accept that - e.g. - an admin can not login with user rights

Answer 1

Yes, you can. Easy way:

1. Create needed scope in Clients Scopes menu section [/auth/admin/master/console/#/realms/<your realm>/client-scopes] name it: read (for example)
   You can turn off options Display On Consent Screen & Include In Token Scope. We don't need it

2. After scope saving go to the MAPPER tab (of the scope read)

• Press CREATE button
• Mapper Type = Hardcoded Role; Name = r_read ; Role=r_read
• Save!

3. Add the scope (read) to Optional Client Scopes of your main client [/auth/admin/master/console/#/realms/<your realm>/clients/<your client UUID>/client-scopes/setup-scopes]
4. Now request for an access token with the scope (read)
5. Voila! Now realm_access.roles section of your access token will look something like that:

  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "r_read"
    ]
  }