[keycloak-user] Group's attributes not being mapped to users?

Andy Yar andyyar66 at gmail.com
Tue Jun 12 03:08:18 EDT 2018


The solution is to add a User Attribute mapper for the desired Client.
This way you can "map" any attribute to selected token. Just specify
the group attribute name, desired token name, data type and tokens
type(s).

On Mon, Jun 11, 2018 at 3:51 PM, Andy Yar <andyyar66 at gmail.com> wrote:
> Hello,
> I use Keycloak 3.4.1.Final and keycloak-js NPM package as client.
>
> My use case employs a single level group hierarchy and users who
> belong to one of the groups. Each group has an attribute.
>
> For example attribute department_full_name. Thus users working in the
> same department could be grouped together and each would inherit its
> department_full_name attribute from the group.
>
> This way it feels natural to me.
>
> I've googled a relevant discussion:
> http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html
>
> Also the Server Administration confirms this behavior by stating: "The
> Attributes and Role Mappings tab work exactly as the tabs with similar
> names under a user. Any attributes and role mappings you define will
> be inherited by the groups and users that are members of this group."
>
> However, it doesn't seem to work for me using Bearer OpenID Connect
> scheme. Decoded JWT structure simply doesn't contain my mapped
> attribute (in id_token or access_token). It contains both roles mapped
> from group and directly set user's attribute but not the group mapped
> attribute...
>
> Am I missing something obvious here? Thanks
>
> Andy


More information about the keycloak-user mailing list