The solution is to add a User Attribute mapper for the desired Client.
This way you can "map" any attribute to selected token. Just specify
the group attribute name, desired token name, data type and tokens
type(s).
On Mon, Jun 11, 2018 at 3:51 PM, Andy Yar <andyyar66(a)gmail.com> wrote:
Hello,
I use Keycloak 3.4.1.Final and keycloak-js NPM package as client.
My use case employs a single level group hierarchy and users who
belong to one of the groups. Each group has an attribute.
For example attribute department_full_name. Thus users working in the
same department could be grouped together and each would inherit its
department_full_name attribute from the group.
This way it feels natural to me.
I've googled a relevant discussion:
http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html
Also the Server Administration confirms this behavior by stating: "The
Attributes and Role Mappings tab work exactly as the tabs with similar
names under a user. Any attributes and role mappings you define will
be inherited by the groups and users that are members of this group."
However, it doesn't seem to work for me using Bearer OpenID Connect
scheme. Decoded JWT structure simply doesn't contain my mapped
attribute (in id_token or access_token). It contains both roles mapped
from group and directly set user's attribute but not the group mapped
attribute...
Am I missing something obvious here? Thanks
Andy