You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/manage/sso-keycloak-tutorial.md
+15-3Lines changed: 15 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -240,15 +240,26 @@ To include roles in JWT tokens:
240
240
**realm roles**:
241
241
242
242
- Maps realm roles to `realm_access.roles` claim
243
-
-Should be enabled by default
243
+
-Exists by default
244
244
245
245
**client roles**:
246
246
247
247
- Maps client roles to `resource_access.{client_id}.roles` claim
248
-
-Should be enabled by default
248
+
-Exists by default
249
249
250
250
If missing, create them manually using **Add mapper** → **By configuration** → **User Realm Role** or **User Client Role**.
251
251
252
+
**Important — enable on ID token and userinfo, not just the access token:**
253
+
254
+
Keycloak's built-in **realm roles** and **client roles** mappers ship with only **Add to access token** turned on. **Add to ID token** and **Add to userinfo** are off by default. ContextForge reads roles from the userinfo response (and falls back to the ID token in some configurations) — it does not parse the access token — so with the defaults left as-is, `realm_access`/`resource_access` never reach the gateway and `SSO_KEYCLOAK_ROLE_MAPPINGS`/`SSO_KEYCLOAK_MAP_REALM_ROLES` silently have nothing to map, even though the role is assigned correctly in Keycloak.
255
+
256
+
For each of the **realm roles** and **client roles** mappers, open it and switch on:
257
+
258
+
-**Add to ID token**
259
+
-**Add to userinfo**
260
+
261
+
(in addition to the default **Add to access token**). The local `infra/keycloak/realm-export.json` dev seed already configures these mappers correctly — this step is only needed when wiring up your own Keycloak realm by hand.
**Solution**: Configure role mappers and enable role mapping
841
852
842
-
1. Verify role mappers exist:
853
+
1. Verify role mappers exist and reach the ID token / userinfo:
843
854
844
855
- Go to **Client scopes** → **roles** → **Mappers**
845
856
- Ensure **realm roles** and **client roles** mappers exist
857
+
- Open each mapper and confirm **Add to ID token** and **Add to userinfo** are both ON — Keycloak ships these mappers with only **Add to access token** enabled by default, and ContextForge reads roles from userinfo/ID token, not the access token. This is the most common cause of "role assigned in Keycloak but gateway treats user as default role" — see [Step 4.4](#44-configure-role-mappers).
0 commit comments