feat: Include Role in OIDC Token Scope by Default

[joelmccoy]

Is your feature request related to a problem? Please describe.

The OIDC token does not pass the role scope by default in the token.

I have a use case where I am trying to map KeyCloak to a new App (Bookstack) via OIDC. I was originally going to use the groups default scope to map to roles, however the app doesn't allow you to map group names to roles without using the admin GUI. (i.e. You can't map the /Admin keycloak group to Admin role, it needs to be an exact match).

I would like to use the roles scope to create custom roles for a particular client. In fact I think it would be beneficial to have client roles as an additional scope for role mapping in potential apps.

As of right now the roles scope is not included in ID token. I believe that is configured here. I request that we set this parameter to true for the default uds-core identity configuration.

Describe the solution you'd like

• Given a fresh deployment of uds-core
• When creating an OIDC auth flow via the sso configuration in the uds CR
• The role scope is automatically passed with the OIDC ID token

Describe alternatives you've considered

I've tried to configure in the end app to map /Admin to the Admin role, but this can only be manually configured in the GUI and not done in code. And also, once you enable OIDC for app it locks out the default admin user (creating a chicken/egg scenario).

Additional context

I think including the roles in the OIDC token gives the end user some flexibility for better Role mappings for apps that support using this claim.

PS: If there is a way to set this with the uds-core CR that would also be a viable solution for me, but I don't think that is possible at the moment.

[joelmccoy]

I think you also need to change the client role mapper setting to include in ID token as well here