Update Keycloak Realm template

Recent Keycloak versions don't support custom mappers in individual clients anymore. To work around this issue, we instead patch the default `roles` client scope to include the `local-dev` client roles in the `groups` field of the ID and access tokens.
appuio · Oct 20, 2023 · c94a2d7 · c94a2d7
1 parent eb4364d
commit c94a2d7
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/local-env/templates/realm.json.tpl b/local-env/templates/realm.json.tpl
@@ -1013,6 +1013,21 @@
           "consentRequired": false,
           "config": {}
         },
+        {
+          "name": "client-role-groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String",
+            "usermodel.clientRoleMapping.clientId": "local-dev"
+          }
+        },
         {
           "name": "client roles",
           "protocol": "openid-connect",