Hello Tom, You can enrich the user's access/ID token with the help of the script mapper like below: // ================================================ var roles = Java.from(new java.util.ArrayList(token.realmAccess.roles)); var foo = new java.util.ArrayList(); for (var r in roles) { var attrs = keycloakSession.realms().getRealmRole(realm, roles[r]).attributes; foo.add({ role: roles[r], attrs: attrs }); } token.setOtherClaims('foo', foo); // ================================================ Here, a dedicated claim ("foo") is used to contain role+attribute info. Using existing "realm_access" or "resource_access" claims is not a good idea, since adapters expect a particular structure there. You can also try to do it more JavaScript-way, like e.g. using map instead of for loop, but remember script mappers are very pedantic about Java vs. JavaScript types and collections. Also don't forget to run Keycloak with -Dkeycloak.profile.feature.scripts=enabled or -Dkeycloak.profile=preview . Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Thu, 2019-01-31 at 15:57 -0500, Tom Barber wrote: