I would like to map external openid-connect provider roles to my keycloak client roles.
In order to do this I have configured Identity Provider (in my case it's another Keycloak instance). Logging in to the main keycloak through the second instance works like a charm.
We have a requirement to assign roles in our server based on the external roles. In order to that I have configured for Role mapper of type External role to role for my Identity Provider. Works like a charm.
User John want to log in Keycloak A, goes to external IDP (Keycloak B). Keycloak B authenticates user and return JWT token with role X. My Keycloak A is configured to map role X to role Y.
The problem is that once Keycloak B administrator removes John from role X he can still log in through to my system (as intended) but role Y is not removed. Any chance to sync roles instead of only mapping it once?
