Perhaps a little too quick to email ... I just found the "Group Membership" option in the client mapper which would work nicely. Is there a role version of this out of interest?

On Mon, Feb 22, 2016 at 5:33 PM, gambol <gambol99@gmail.com> wrote:
Hiya ...

I was wondering if it's possible as of 1.9.0 to change or map the roles of a user into new claim .. The reason I ask is https://github.com/kubernetes/kubernetes/pull/21001/files. I know the current implementation uses something akin to the below in the access token.

"resource_access": {
    "client_id": {
      "roles": [
        "role-a",
        "role-b",
        "role-c"
      ]
    },
    "account": {
      "roles": [
        "view-profile",
        "manage-account"
      ]
    }
  },

Any chance via a mapper we could use an string array?

Rohith