Get the user roles with the keycloak userinfo endpoint

Question

How can I get the the roles included in the reply of the userinfo endpoint in keycloak. I defined a "Role Mapping" for the user in keycloak. When I call the userinfo endpoint I get the fields like email name etc, but the roles are not included in the reply. When I call the auth endpoint I get the access_token and in the field scope has roles included. Here is the reply from the auth endpoint:

access_token" QJsonValue(string, "eyJhb...")
"expires_in" QJsonValue(double, 300)
"not-before-policy" QJsonValue(double, 0)
"refresh_expires_in" QJsonValue(double, 1800)
"refresh_token" QJsonValue(string, "eyJhb...")
"scope" QJsonValue(string, "profile email roles")
"session_state" QJsonValue(string, "20b48536-4b38-4aa6-9072-e8309833402e")
"token_type" QJsonValue(string, "bearer")

I also tried to call the userinfo endpoint with the attribute "scope=roles", but this didn't work.

if you un-parse accessToken, there are user roles for all clients you assigned to. https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library — Dmitri Algazin, Sep 19 '19 at 09:15
Bumblebee, I may be able to help you out here, but I need more details so a few questions: 1. Are you able to see the roles in decoded token? -try https://jwt.io/ for decoding your token 2. How are you trying to extract fields from token - through javascript library or Java library? — tryingToLearn, Sep 20 '19 at 04:41
tryingToLearn, yes, I can decode the token in jwt.io and can also see the roles. I would like to extract the fields in a Qt5 C++ application. — Bumblebee, Oct 03 '19 at 04:36

score 10 · Answer 1 · answered Nov 09 '20 at 08:30

As someone already mentioned, it's a bug. I heard it's fixed in latest version of keycloak.

I eventually fixed with this setting without upgrading to the fixed version of keycloak.

When you add User Realm Role, it will have "realm_access.roles" as Token Claim Name. You need to change it to "roles". Then it will show correctly within userinfo.

score 4 · Answer 2 · answered Jul 15 '20 at 23:19

4

Should be this issue: https://keycloak.discourse.group/t/resource-access-claim-missing-from-userinfo-until-i-change-the-name/1238

When renaming the claim in Client Scopes -> roles -> Mappers -> realm roles/client roles, i.e. realm_access.roles to realm_accessy.roles (and setting Add to userinfo to ON), it is included in userinfo :-/

answered Jul 15 '20 at 23:19

Torsten Römer

3,764
4
38
51

The issue is fixed in Keycloak 12: https://issues.redhat.com/browse/KEYCLOAK-9874 – Torsten Römer Sep 23 '20 at 21:38

score 2 · Answer 3 · answered Sep 18 '19 at 16:56

2

In the mapper page on Keycloak, there is a setting called Add to userinfo, that has to be enabled.

answered Sep 18 '19 at 16:56

qdivision

401
2
9

Add to userinfo is alrady enabeled. – Bumblebee Sep 18 '19 at 17:18

score 1 · Answer 4 · edited Oct 06 '21 at 06:25

1

For those whose above answer didn't work, I have spent the whole day figuring it out.
Basically, you have to go to client Scopes--> roles --> then move to Mappers tab, select client roles Add to Id token, access token and userinfo on

Here is the Screenshot

edited Oct 06 '21 at 06:25

Suraj Rao

28,850
10
94
99

answered Oct 06 '21 at 06:18

Kancer

11
1

Get the user roles with the keycloak userinfo endpoint

4 Answers4

Linked