[keycloak-user] WildFly adapter - dynamically added roles missing in access token

[Torsten Roemer]

Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider.

In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this:

    @Override
    public Set<RoleModel> getRoleMappings() {
        final Set<RoleModel> roles = super.getRoleMappings();
        for (final GroupBean group : groups) {
            roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName()));
        }

        return roles;
    }

RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far.

In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem.

When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles.

However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token.

What could I be missing?