Keycloak, openId-connect userInfo

Question

I'm trying to get info about user roles using openId-connect endpoints of Keycloak. I'm using the /auth/realms/moje/protocol/openid-connect/userinfo endpoint to get info about the authenticated user. I'm able to get info about the name, username, email, etc. but I'm not able to force Keycloak to give me info about user roles.

I've read the OpenID documentation and I didn't find any info about how to get roles... I think that there must be a way to find out user roles... Maybe there is another endpoint... I can't find any info...

So finally my question is: Is there any way to get info about user roles using OpenID Connect endpoints?

score 2 · Answer 1 · answered Jan 15 '23 at 10:14

You have to manually map realm roles to userInfo and then you will be able to retrieve them with this endpoint. Go to keycloak admin console and choose your client, go to mapper tab and create a mapper for realm roles (it is a built in mapper, no need to create it manually). By default it will inject realm roles into jwt token, but not into ID token and userInfo. Enable the option for injecting into userInfo. Then you should be able to see the roles.

score 2 · Answer 2 · answered Apr 01 '23 at 21:31

2

To make the user roles (i.e., realm or/and client -related roles) also available from the userinfo endpoint do the following:

Keycloak old UI

Go to the according realm;
Go to the according client;
Go to Mappers;
Click on Create (or Add Builtin);
As the Mapper Type select User Realm Role;
Set to ON the option Add to userinfo, and click Save;

For client roles, repeat the aforementioned steps but this time select User Client Role as the Mapper Type.

Keycloak new UI

Go to the according realm;
Go to the according client;
Go to Client Scopes;
Click on the scope -dedicated (e.g., test-dedicated)

Click on Configure a new mapper (or Add predefined mapper);
As the Mapper Type select User Realm Role;
Set to ON the option Add to userinfo, and click Save;

answered Apr 01 '23 at 21:31

dreamcrash

47,137
25
94
117

1

This is awesome, it took me one week to find that shit was after the click thank you. Hope I'm lucky, does it happen to know where I find in the new UI, old setup for Identity Provider -> Identity Provider Mapper -> Create Identity Provider for Advanced Claim to Group case in my new version is missing this type of mapper. I'll post a question on SO if you know to get your answer. – SilentTremor Jul 14 '23 at 15:31
@SilentTremor Hi, you need to go to Identity Providers ->(select the idp e.g., keycloak openID Connect Provider) -> Mappers -> Add Mapper -> Advanced Claim to group. I am using kc 20.0.2 and the IDP is Keycloak OpenId Connect provider – dreamcrash Jul 16 '23 at 11:45
1

option missing from 19.0.0 legacy docker image, thanks man. – SilentTremor Jul 17 '23 at 09:00

score 1 · Answer 3 · answered Oct 04 '16 at 12:34

1

if you have Client Secret key, then You can get the user role info by passing that secret key.

answered Oct 04 '16 at 12:34

Aman Jaiswal

1,084
2
18
36

I did, client_secret will be ordinary sent, and there is no change, role data is still missing from the userinfo response. – peterh Jul 27 '18 at 19:43
1

Ok, I found. In fact, the case is much more complex, [these answers](https://stackoverflow.com/questions/32678883/keycloak-retrieve-custom-attributes-to-keycloakprincipal) explain it more detailed. Simply passing the `client_secret` will be probably not enough! – peterh Jul 27 '18 at 19:56

score 0 · Answer 4 · edited Jul 11 '23 at 15:35

0

You can find all associated roles under the JWT. No need to invoke an endpoint. The /auth/realms/moje/protocol/openid-connect/userinfo endpoint is to check the validity of the JWT.

edited Jul 11 '23 at 15:35

Dmitriy Popov

2,150
3
25
34

answered Dec 22 '20 at 07:17

user3332279

59
1
10

4

It may be useful If you issues long time tokens for technical users. Roles have been granted might be revoked but JWT still is correct. user-info returns actual roles – AlexanderRS Dec 17 '21 at 11:22

Keycloak, openId-connect userInfo

4 Answers4