Hello guys, I am trying to work with the following setup, with the goal of eventually propagating Keycloak roles from the public client (front-end) to Spring Security Roles of a bearer-only client (back-end): Client Name Client Type Client Role Full Scope Allowed portals-frontend public TEST_ROLE FALSE portals-backend bearer-only VERSIONS: *Spring Boot:* org.keycloak:keycloak-spring-boot-2-starter:4.0.0.Final org.springframework.boot:spring-boot-starter-security:2.1.4.RELEASE *Angular:* angular: 7 "keycloak-angular": "6.1.0" *Keycloak Server:* 4.0.0.Final My Angular app is using *portals-frontend *client My Spring-Boot-2 app is using *portals-backend *client When running this setup, the back-end verifies the token, but it does not map the *portals-frontend* client Roles into *spring security principal.deatils.roles*. The only way I managed to do this is two ways; 1. Set *Full Scope allowed* to *true. (*I don't like this since we can't restrict the roles in each client token*)* 2. Use the same KC client in the back-end as the one used in the front-end app. (This means that new front-end apps that will need different rights, therefore a new client, will not be able to use the same back-end service) *QUESTION:* Is there a 3rd way, where I keep my configuration as is, and manage to map KC Roles into spring security's *principal.details.roles *list in the back-end and include the front-end client roles? Thanks in advance! P.S: *Additional context:* The Spring-Boot-2 configurations is: keycloak: realm: internal-portals bearer-only: true auth-server-url: <VALID URL> ssl-required: external resource: portals-backend confidential-port: 0 principal-attribute: preferred_username use-resource-role-mappings: true With the following security config: @KeycloakConfiguration class SecurityConfig(private val securityProperties: SecurityProperties) : KeycloakWebSecurityConfigurerAdapter() { @Bean fun keycloakConfigResolver(): KeycloakConfigResolver { return KeycloakSpringBootConfigResolver() } @Autowired @Throws(Exception::class) fun configureGlobal(auth: AuthenticationManagerBuilder) { val keycloakAuthenticationProvider = keycloakAuthenticationProvider() keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper()) auth.authenticationProvider(keycloakAuthenticationProvider) } @Bean override fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy { return NullAuthenticatedSessionStrategy() } ... }