From c94a2d79bf7d9222000f6953f4b5bde48133f534 Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Fri, 20 Oct 2023 16:26:20 +0200
Subject: [PATCH] Update Keycloak Realm template

Recent Keycloak versions don't support custom mappers in individual
clients anymore.

To work around this issue, we instead patch the default `roles` client
scope to include the `local-dev` client roles in the `groups` field of
the ID and access tokens.
---
 local-env/templates/realm.json.tpl | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/local-env/templates/realm.json.tpl b/local-env/templates/realm.json.tpl
index ecb39220..a07fdb6b 100644
--- a/local-env/templates/realm.json.tpl
+++ b/local-env/templates/realm.json.tpl
@@ -1013,6 +1013,21 @@
           "consentRequired": false,
           "config": {}
         },
+        {
+          "name": "client-role-groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "false",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String",
+            "usermodel.clientRoleMapping.clientId": "local-dev"
+          }
+        },
         {
           "name": "client roles",
           "protocol": "openid-connect",