Get the user roles with the keycloak userinfo endpoint

Question

How can I get the the roles included in the reply of the userinfo endpoint in keycloak. I defined a "Role Mapping" for the user in keycloak. When I call the userinfo endpoint I get the fields like email name etc, but the roles are not included in the reply. When I call the auth endpoint I get the access_token and in the field scope has roles included. Here is the reply from the auth endpoint:

access_token" QJsonValue(string, "eyJhb...")
"expires_in" QJsonValue(double, 300)
"not-before-policy" QJsonValue(double, 0)
"refresh_expires_in" QJsonValue(double, 1800)
"refresh_token" QJsonValue(string, "eyJhb...")
"scope" QJsonValue(string, "profile email roles")
"session_state" QJsonValue(string, "20b48536-4b38-4aa6-9072-e8309833402e")
"token_type" QJsonValue(string, "bearer")

I also tried to call the userinfo endpoint with the attribute "scope=roles", but this didn't work.

if you un-parse accessToken, there are user roles for all clients you assigned to. https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library — Dmitri Algazin, Sep 19 '19 at 09:15
Bumblebee, I may be able to help you out here, but I need more details so a few questions: 1. Are you able to see the roles in decoded token? -try https://jwt.io/ for decoding your token 2. How are you trying to extract fields from token - through javascript library or Java library? — tryingToLearn, Sep 20 '19 at 04:41
tryingToLearn, yes, I can decode the token in jwt.io and can also see the roles. I would like to extract the fields in a Qt5 C++ application. — Bumblebee, Oct 03 '19 at 04:36
I gave an answer related to this post's question in another one. [Here it is](https://stackoverflow.com/a/75281326/3443964) — Alik Khilazhev, Jan 30 '23 at 07:36

score 17 · Answer 1 · answered Nov 09 '20 at 08:30

As someone already mentioned, it's a bug. I heard it's fixed in latest version of keycloak.

I eventually fixed with this setting without upgrading to the fixed version of keycloak.

When you add User Realm Role, it will have "realm_access.roles" as Token Claim Name. You need to change it to "roles". Then it will show correctly within userinfo.

score 6 · Answer 2 · answered Jul 15 '20 at 23:19

6

Should be this issue: https://keycloak.discourse.group/t/resource-access-claim-missing-from-userinfo-until-i-change-the-name/1238

When renaming the claim in Client Scopes -> roles -> Mappers -> realm roles/client roles, i.e. realm_access.roles to realm_accessy.roles (and setting Add to userinfo to ON), it is included in userinfo :-/

answered Jul 15 '20 at 23:19

Torsten Römer

3,834
4
40
53

The issue is fixed in Keycloak 12: https://issues.redhat.com/browse/KEYCLOAK-9874 – Torsten Römer Sep 23 '20 at 21:38
1

This is still broken in Keycloak 20.0.3 for Client Roles. With the default claim name of "resource_access.${client_id}.roles", the client roles were not included in userinfo. After changing the claim name to "client_roles" they are included. – Adam Feb 26 '23 at 03:27
2

edit: actually you can change the claim name to be the same as the default value and save it then it does work, so it seems the claim name default value is shown but not used until edited. – Adam Feb 26 '23 at 03:35

score 2 · Answer 3 · answered Sep 18 '19 at 16:56

2

In the mapper page on Keycloak, there is a setting called Add to userinfo, that has to be enabled.

answered Sep 18 '19 at 16:56

qdivision

401
2
9

Add to userinfo is alrady enabeled. – Bumblebee Sep 18 '19 at 17:18

score 2 · Answer 4 · edited Oct 06 '21 at 06:25

2

For those whose above answer didn't work, I have spent the whole day figuring it out.
Basically, you have to go to client Scopes--> roles --> then move to Mappers tab, select client roles Add to Id token, access token and userinfo on

Here is the Screenshot

edited Oct 06 '21 at 06:25

Suraj Rao

29,388
11
94
103

answered Oct 06 '21 at 06:18

Kancer

21
1

Get the user roles with the keycloak userinfo endpoint

4 Answers4

Linked