Good day,
We are configuring Keycloak IDP auth and roles permissions in ODC. We have set up the IDP and clients in both KeyCloak and ODC - this is all working well for authentication.We are now trying to configure End-user Group mappings from the KeyCloak IDP to ODC.
The roles do not seem to be populating in ODC correctly. (We have tested our app with direct assigned roles in ODC, this works. It is when roles are extracted from the JWT and mapped to ODC Groups that things do not work).Below is the KeyCloak JWT we retrieve from our IDP.
{"exp": 1728392737,"iat": 1728392437,"jti": "c8008342-1e72-435c-a807-a5f27413b2bf","iss": "https://xxxxxxx.co.za:8443/realms/IDReg","aud": "account","sub": "729b21bd-f371-40be-8065-52d33e206ae8","typ": "Bearer","azp": "test","sid": "a49c5c3b-9b7b-4f74-949d-65cbb010abfd","acr": "1","allowed-origins": ["/*"],
"realm_access":
{"roles":
["Support","offline_access","default-roles-idreg","uma_authorization"]
},
"resource_access": {"account": {"roles": ["manage-account","manage-account-links","view-profile"]}},"scope": "openid email profile","email_verified": true,"name": "xxxxxxx xxxxxxx","preferred_username": "almero@xxxxx.co.za","given_name": "xxxxxxxx","family_name": "xxxxxxx","email": "almero@xxxxxx.co.za"}
The questions is:
What do we need to specify as the CLAIM Attribute in ODC when trying to read "realm_access - roles" since we cannot use "realm.roles". Other options like "realms" and "roles" has not worked - most likely since the element is not unique enough, and nested.
Any assistance is appreciated.
Did some digging. The simple way to fix this is to change the way that KeyCloak provides the JWT to ODC. It seems like ODC only wants to accept a single Claim Attribute name.To work around this, simple create a new Claim Mapper in KeyCloak that adds the REALM_ROLES, but you change the output name for the claim to be a single value - in my case "realm_access_roles".Steps to replicate this in KeyCloak 23:
In ODC Portal
In Application