Spring Boot Keycloak Adapter extract roles from custom field in JWT token

Question

I'm using Spring Boot Keycloak Adapter in my backend application. It has properties for extracting roles from JWT token:

keycloak:
   use-resource-roles-mapping: true

If this option is set to true, then the toles of user will be extracted from token from the field resource_access.roles[]

If this option is set to false, then the roles of user will be extracted from token from the field realm_access.roles[]

But I have roles in my token in another field, roles[] are placed in root directly, without wrappers resource_access or realm_access

As I see, Keycloak adapter does not allow to customize the behaviour of extracting roles from token. So, the question is, how do I ovveride this behaviour to extract roles from token from the field I want?

Answer 1

Actually, client roles are held in resource_access.{client-id}.roles, (not resource_access.roles).

Keycloak adapters were deprecated a year ago and are not compatible with spring-boot 3. Just don't use it.

You can refer to the accepted answer to "Use Keycloak Spring Adapter with Spring Boot 3" for alternatives. The solution exposed there works for spring-boot pulling versions of spring-security with SecurityFilterChain (boot 2.4 or so) with almost no modification (just a few configuration methods have been renamed in spring-security 6 (boot 3) to align reactive and servlet DSLs).

You should read the part of the answer with "my" starters which enable to configure role mapping from application.properties (or yaml): source claims (not just one claim at a time, but as many as you need), prefix and case transformation. All that for each issuer (possible to accept identities from as many realms, Keycloak instance or even from other OIDC authorization-servers than Keycloak).