[keycloak-user] Expose role attributes in Keycloak javascript adapter

Dmitry Telegin dt at acutus.pro
Fri Feb 1 05:17:38 EST 2019

Hello Tom,

You can enrich the user's access/ID token with the help of the script mapper like below:

// ================================================
var roles = Java.from(new java.util.ArrayList(token.realmAccess.roles));
var foo = new java.util.ArrayList();

for (var r in roles) {
    var attrs = keycloakSession.realms().getRealmRole(realm, roles[r]).attributes;
       role: roles[r],
       attrs: attrs

token.setOtherClaims('foo', foo);
// ================================================

Here, a dedicated claim ("foo") is used to contain role+attribute info. Using existing "realm_access" or "resource_access" claims is not a good idea, since adapters expect a particular structure there.
You can also try to do it more JavaScript-way, like e.g. using map instead of for loop, but remember script mappers are very pedantic about Java vs. JavaScript types and collections.

Also don't forget to run Keycloak with -Dkeycloak.profile.feature.scripts=enabled or -Dkeycloak.profile=preview .

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-31 at 15:57 -0500, Tom Barber wrote:
> Hi folks,
> We’ve got some attributes in the Keycloak roles. Is there a way to release
> them with a user using the Javascript adapter?
> Thanks
> Tom

More information about the keycloak-user mailing list