Ability to access all roles of multiple keycloak clients in a OpenID token

[Markus-Schwer]

Description

This might be a niche use-case, but I need to check if a user has a specific role from another client.
As an example, suppose I have a keycloak OpenID token with two roles from two clients:

{
  "name": "John Doe",
  ...
  "resource_access": {
     "client1": {
        "roles": [
           "role1"
        ]
     },
     "client2": {
        "roles": [
           "role2"
        ]
     }
  }
}

My oidc config in my application.properties looks something like this:

quarkus.oidc.auth-server-url=://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=client1
# the role-claim-path is implicitly resource_access/ + clientId + /roles
# quarkus.oidc.roles.role-claim-path=resource_access/client1/roles

In my application code I need to check if the user/token has both role1 and role2. Currently this does not work, as the quarkus.oidc.roles.role-claim-path can only select a single claim, and keycloak tokens have different claims for multiple clients.

Implementation ideas

Idea 1

The config property quarkus.oidc.roles.role-claim-path could be refactored to accept a list of claim paths, e.g.:

quarkus.oidc.roles.role-claim-path=resource_access/client1/roles,resource_access/client2/roles

Idea 2

Another idea would be to allow wildcards in the quarkus.oidc.roles.role-claim-path property:

quarkus.oidc.roles.role-claim-path=resource_access/*/roles

---

The second idea might be more usefull, when a token has a lot of different clients and you don't want to list every client in your configuration. Also, the wildcard approach would be more similar to other keycloak oidc implementations, like the keycloak-wildfyl-adapter, where (as far as I can remember) you can access all roles from a token.

[quarkus-bot]

/cc @pedroigor, @sberyozkin

[sberyozkin]

#23139 Fixes it