[ISSUE] Groups claim name is not returned by Keycloak by default #4011
Description
Describe the issue:
Related to #4010
A change was added recently to add a default groups claim attribute name for Keycloak to manage their own groups rather than using Identity to manage their group memberships. However, when setting this to groups it seems to me that we did not check whether Keycloak actually returns a groups claim attribute. In my testing, I found that the openid-configuration endpoint reports these possible claim attributes
0 "aud"
1 "sub"
2 "iss"
3 "auth_time"
4 "name"
5 "given_name"
6 "family_name"
7 "preferred_username"
8 "email"
9 "acr"
and in my JWT, I got the following attributes
{
"exp": 1756344934,
"iat": 1756308934,
"jti": "2f5984fc-aabb-46d6-8260-0be86aedeed8",
"iss": "https://ISSUERHOST/auth/realms/camunda-platform",
"sub": "39ba252a-3b01-4ff7-801d-609d7be0c7ab",
"typ": "Serialized-ID",
"sid": "1680c705-9afc-45f1-b3af-fd1dff623caa",
"state_checker": "qTJ_s8s8pnzPGGtoFlTKSGMlolpO-RT22WY_fk0Qqbo"
}We need to find a way to configure keycloak to send groups in the claim by default, otherwise group membership in keycloak will be meaningless.
Actual behavior:
Expected behavior:
How to reproduce:
Logs:
Environment:
Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.
- Platform:
- Helm CLI version:
- Chart version:
- Values file: