By marone: July 2020 | last update: August 2020
GoalIn the previous article, we saw how to use keycloak as a resource server. The spring security
hasAuthoritywas internally mapped from jwt scopes. It was fine but if someone is very familiar with keycloak roles, it will be difficult for them to work with scopes. Or some authorization servers don't support
scopes. So we need a kind of mapping between Spring security and keycloak roles.
Used technologiesKeycloak 8.x
Jwt converterAt first, we need a JWT converter, which will extract the roles from access token and returns an Authentication
Read the roles from JWT. The roles are part of the claim
Each role will be converted to a SimpleGrantedAuthority object.
To make the mapping more easer the prefix was added
Adapt the configuration
We use now
We use the custom OAuth2ResourceServerConfigurer which uses the JWT converter.
Keycloak roles in access token
The Resource Server expected a role with
Change roles mappingsTo assign the ADMIN role to the user click on
Usersin the left menu bar. Now on the right side click View all users and pick up
johndoe, a new page will appear. Go to the
Select ADMIN and click Add selected.
The roles part in access token looks now like: