KeyCloak Group ID in Token missing

Question

I am currently setting up a fresh KeyCloak instance and I am trying to achieve the following: Users will be placed in - Groups - These Groups will get client specific roles

For example I have the Role "Publishers" and several groups of publisher: Publisher1, Publisher2, ...

So, when a user logs in, I can determine whether he is a publisher or not and then give him access to a specific set of features on the website. The groups shall then narrow down all infos he will receive.

Just like the role will give him access to a REST API and the group will filter the results he will receive.

In SQL: SELECT * FROM xyz where publisher_id = ?

In the token I want to see these infos. When using the evaluate feature I currently receive this:

{
  "jti": "3e96fc9d-b1dc-428a-8f8e-0661f9cf265b",
  "exp": 1578303161,
  "nbf": 0,
  "iat": 1578302861,
  "iss": "https://prodo-sso-ti.ariva-services.de/auth/realms/PRODO",
  "aud": "account",
  "sub": "55bed571-dd3b-4282-8688-5da543517a49",
  "typ": "Bearer",
  "azp": "dashboard",
  "auth_time": 0,
  "session_state": "12ab2b8c-dc9a-42ca-b106-1a213dd38fc0",
  "acr": "1",
  "allowed-origins": [
    "https://secretlink"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    },
    "dashboard": {
      "roles": [
        "Publisher"
      ]
    }
  },
  "scope": "openid profile email",
  "group_membership": [
    "/Publisher1"
  ],
  "email_verified": true,
  "name": "My Name",
  "preferred_username": "mb",
  "locale": "de",
  "given_name": "My",
  "family_name": "Name",
  "email": "[email protected]"
}

I activated the Group Membership Mapper to get the Groups the user is in. The problem is, that I only get the name of the Group while I need something more useful, like an ID. So I tried to add an attribute to group "publisher_id" with numeric value "1".

How is it possible to get also this publisher_id in the group membership infos or somewhere else. Or maybe I am on a wrong way and this could be achieved somehow different?

I appreciate any hints :)

Answer 1

There is an easy way to add Groups Id to token:

1. Create a new Client Scope for your Client:

Clients Scopes -> Create -> Client Scope Template(Audience template) -> your_client_name

2. Create a new Mapper in your new Client Scope

Clients Scopes -> your_client_name -> Mappers -> Create

3. Set some name, Mapper Type must be Script Mapper

and then paste this code to Script section:

/**
 * Available variables: 
 * user - the current user
 * realm - the current realm
 * token - the current token
 * userSession - the current userSession
 * keycloakSession - the current userSession
 */


//insert your code here...
var groups = [];
for each (var group in user.getGroups()) groups.push(group.getId());
token.setOtherClaims("groups_ids", 
    Java.to(groups, "java.lang.String[]")
);

Do not forget to set Add to access token.

You will see it in your token: groups_ids