Keycloak - how to get service account roles in client credentials access token

Question

I want a backend app to use another backend service's API, and control per app what it is authorized to call on the backend service. I am using OAuth 2.0 client credentials flow and Keycloak as the authorization server. I expect roles defined for the backend service and set for the backend app to appear in the access token I request from Keycloak. But the only thing I can manage to appear, are realm level client scopes.

I tried the following (I don't expect to need all of this, but I wanted to try anything that made a little sense):

created realm Test
added client scope on the realm (realm-clientscope1)
added roles on the realm (realm-role1, realm-role2)
define client "backend-service", made this a "bearer-only" client since it doesn't have to authorize itself to other services
create roles on this client (backendservice-role1, backendservice-role2, backendservice-role3-comp)
define client "backend-app", made this a confidential client, with service account enabled
added role on this client (backendapp-role1)
assigned realm-clientscope1 as a default scope
on the scope tab (backend-app Scope Mappings), turned off "Full Scope Allowed", assigned realm-role1, realm-role2, and client roles backendservice-role1, backendservice-role2, backendservice-role3-comp
assigned service account roles with the same roles as on the scope tab (realm-role1, realm-role2, and client roles backendservice-role1, backendservice-role2, backendservice-role3-comp)

After all this, I used Postman to get an access token for grant_type client-credentials. The only thing on the access token is the realm scope "realm-clientscope1". Why all these options to set service account roles, etc. If they don't show up?

I assume I am misunderstanding how roles are used, but I can't find a proper explanation either.

To try and cover all bases, I also turned on Authorization Enabled on the "backend-app" client, and under authorization, tried to define authorization scopes, policies and permissions that made some sense. This too, did not result in any more authorization info appearing on the access token.

The last thing I tried, is changing my "backend-service" app from "bearer-only" to "confidential" with Service Accounts Enabled. This also did not make a difference (as expected).

Keycloak version is 15.1.0 (thanks for asking, dreamcrash).

Did you try to assign the roles under the client tab "Service Account Roles" ? — dreamcrash, Jan 24 '22 at 08:46
Yes, I did this for the backend-app that is trying to talk to the backend-services API. — manuel, Jan 24 '22 at 11:26

Francisco Sousa · Answer 1 · 2022-10-20T12:16:00.757

0

A little late, but I hope that it can be helpful to someone having the same problem.

Basically, it's necessary go to Client scopes tab, and add roles to default scope. Notice that desired role must be setted in both Scope and Service account roles tabs or it can be setted Allow full scope in Scope tab, and then just set the desired role in Service account roles tab.

EDIT: I forgot to say these configurations must be set in client.

So, in my JWT token, I can see the role:

edited Oct 20 '22 at 12:16

answered Oct 17 '22 at 15:23

Francisco Sousa

13
1
3

Thanks for answering. I think I did all that, but only the realm scope came back from the authorization request. – manuel Oct 19 '22 at 09:11
I've edit my answer to show some configuration screens – Francisco Sousa Oct 20 '22 at 12:17
Thanks for the clarification. I will have a go at that again. – manuel Oct 24 '22 at 13:08

Keycloak - how to get service account roles in client credentials access token

1 Answers1