Get roles from Keycloak userinfo endpoint

Question

I have keycloack realm with authorization code flow with public access type.

How can I get user roles from keycloak userinfo endpoint without client_secret?

I'm trying to use mappers but can't get this information. Userinfo endpoint return only this:

{
   "sub":"ace69576-614e-41fe-9584-aac69c34dec1",
   "email_verified":true,
   "name":"John Doe",
   "Token Claim Name":[
      "Realm Role prefixuma_authorization",
      "Realm Role prefixoffline_access"
   ],
   "preferred_username":"user",
   "given_name":"John",
   "family_name":"Doe",
   "email":"[email protected]"
}

Answer 1

How can I get user roles from keycloak userinfo endpoint without client_secret?

Whether or not you can get the user roles from the userinfo endpoint is not related to the type of client (i.e., confidential or public).

To make the user roles (i.e., realm or/and client -related roles) also available from the userinfo endpoint do the following:

• Go to the according realm;
• Go to the according client;
• Go to Mappers;
• Click on Create;
• As the Mapper Type select User Realm Role;
• Set to ON the option Add to userinfo, and click Save;

If the user has client roles assigned to it; Repite the aforementioned steps but this time select User Client Role as the Mapper Type.