Re: [keycloak-user] roles in the user-info response

Hi Simon, Seems like you've hit a bug. I was able to reproduce it, please let me know if the use case is similar to yours: 1. created an OIDC client; 2. created some client roles for that client; 3. assigned them to the user; 4. added two protocol mappers, User Client Role and User Realm Role; 5. obtained access token for the user via direct grant; 6. used the token to query Keycloak userinfo endpoint. If Full scope is enabled in client settings -> Scope, I can see all the roles in the returned userinfo. If Full scope is disabled, there is no way to add roles from step 2 to the scope. In the scope config, they show up in Effective roles, but neither in Assigned roles nor Available roles. I think this is because in the latter mode userinfo returns only direct roles, not effective ones. It's easy to proof; you can add, say, "admin" realm role to the scope, but the userinfo won't include it's child role, "create-realm", even if the user is admin. OTOH, you have added protocol mappers to the client, right? You can go to mapper settings and turn off "Add to access token" (leaving Full scope on). Thus, your access token won't include role info anymore, but it will remain in the ID token and userinfo endpoint response. As the last resort, you can use Keycloak Admin REST API [1] to query for user roles. [1] https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Fri, 2018-10-12 at 11:58 +0100, Simon Payne wrote: