I use Keycloak to authenticate users. I have created new realm(Efairy-realm), client(efairy-backend) and new roles(user, moderator, admin). It looks like that:
Config 1 look like this. Config 2 look like this.
The problem starts in access_token:
{
"exp": 1619466995,
"iat": 1619466935,
"jti": "fcd20273-fb45-408c-9e20-126653d69719",
"iss": "http://localhost:8082/auth/realms/efairy-realm",
"aud": "account",
"sub": "b1d89dc2-c12d-4c80-beed-c9a6065ec604",
"typ": "Bearer",
"azp": "efairy-backend",
"session_state": "d4a2b283-2f54-4a17-9a27-99db26278ba7",
"acr": "1",
"allowed-origins": [
"",
"http://localhost:8083"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"efairy-backend": {
"roles": [
"uma_protection",
"user"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile roles email",
"clientHost": "172.23.0.1",
"email_verified": false,
"clientId": "efairy-backend",
"groups": [
"offline_access",
"uma_authorization"
],
"preferred_username": "service-account-efairy-backend",
"clientAddress": "172.23.0.1"
}
I've created new user called moderator with role moderator and when im loggin to this user I' receiving roles(resource_access.efairy-backend.roles) that I set in tab Service Account Roles, but i would like to get roles that i declare in new user called moderator in Role Mappings tab.
Login flow looks like this:
Im redirecting user from my frontend app to keyclock login page with those params: /auth/realms/efairy-realm/protocol/openid-connect/auth?response_type=code&client_id=efairy-backend&redirect_uri=http://localhost:8083/auth-redirect-url
Then Im entering proper user and password, and click Sign in
After successful sing in Im redirecting to frontend app, and make request for token with params: /auth/realms/efairy-realm/protocol/openid-connect/token
grant_type: client_credentials
client_id: efairy-backend
client_secret: <client_secret>
code: <secret_code>Response:
access_token: "eyJhbGciO...AjbA",
expires_in: 60,
not-before-policy: 1619128217,
refresh_expires_in: 1799,
refresh_token: "eyJ...XQ_R0",
scope: "profile roles email",
session_state: "fcf1391d-...b11795c03f80",
token_type: "Bearer",
Anyone know how to fix it? :)