keycloak and nodejs (nestjs), wrong role mismatch

Question

I'm using nestjs-keycloak-connect module in multi-tenant mode. The log shows everything is correct but Resource denied due to mismatched role(s). The example controller:

@Controller(':company')
@UseGuards(AuthGuard, RoleGuard)
export class CompanyController {
  @Get('/')
  @Roles({
    roles: ['admin'],
  })
  view(@Param('company') company: string) {
    return `your company is : ${company}`;
  }
}

[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using token validation method: ONLINE
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Authenticated User: {"exp":1662662924,"iat":1662662624,"jti":"13f4b99a-d5bb-4b5f-8fbd-2bffbbcc16ed","iss":"http://localhost:8080/realms/testrealm","aud":"account","sub":"ac10f640-535a-4658-8bcf-daac003e076c","typ":"Bearer","azp":"k","session_state":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","acr":"1","realm_access":{"roles":["default-roles-testrealm","offline_access","admin","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"profile email","sid":"66edf11e-e69b-42a9-a1cf-52988d5c9d51","email_verified":true,"preferred_username":"x@y.z","given_name":"","family_name":"","email":"x@y.z"}
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Controller has no @Resource defined, request allowed due to policy enforcement
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Using matching mode: any
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Roles: ["admin"]
[Nest] 23435  - 09/08/2022, 11:13:53 PM VERBOSE [Keycloak] Resource denied due to mismatched role(s)

I can't understand where is the problem!

Answer 1

I've needed to add the role to the client. I've added the role to the realm.