mapping roles from a keycloak identity provider

[Matthieu Huin]

Hello,

Let's say I have two keycloak instances, K1 and K2. I have users with roles defined on K1. I want to use K1 as an OIDC identity provider for K2. In order to do so, I create a client on K1 to use with K2; I add a role mapper to this client so that roles defined on K1 are included in the tokens K1 issues under the "roles" claim. Authenticating on K2 using K1 works fine.

Now I would like these roles assigned on K1, to be included in the tokens issued by K2 when a user authenticates on K2 using K1. I thought provider mappers could help (like "claim to role"), but it seems like the roles must first exist in K2 for the default mappers to work properly. Would it be possible to just get the roles from the "roles" claim in the access token from K1, and inject them into a claim in the tokens issued by K2?

Thanks,

--

Matthieu Huin

(He/Him/His)

Senior Software Developer

Red Hat