Keycloak/OIDC : retrieve user groups attributes

Question

I\'ve extracted a user\'s groups information from the OIDC endpoint of Keycloak, but they don\'t come with the group ATTRIBUTES I defined (see Attributes tab into the group form

Answer 1

I was able to achieve this by adding groups/roles info in token other claims property:

For this in keycloak config, go to your client -> mappers & add a group/role mapper. E.g.

Now this info will start coming in your access token:

To access these group attribute in Java you can extract it from otherclaims property of accesstoken. E.g.:

KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)(request.getAttribute(KeycloakSecurityContext.class.getName()));         
AccesToken token = keycloakSecurityContext.getToken();

In below image you can see that otherclaims property of token is filled with groups attribute that we created on keycloak. Note that if we had named "token claim property" as groupXYZ, the otherclaims would be showing: groupsXYZ=[Administrator]

Answer 2

This is how I could eventually map group attributes (inherited as user attributes, as suspected before) into user informations, into the "other claims" section :