Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key →
← Back to ideas
clawsmith.com/idea/keycloak-role-attribute-claim-mapper
IdeaCompetitivekeycloakoidcspiLive

A CLI tool and SPI extension that maps Keycloak role attributes into OIDC token claims automatically

Keycloak removed its built-in script mapper in version 18 citing security concerns, leaving teams who need role-level attributes surfaced as OIDC token claims with no supported path. The only third-party SPI that fills this gap (nexiles/keycloak-client-role-attribute-mapper) targets Keycloak 21 and has not been updated for Keycloak 25 or 26, which ship breaking SPI API changes. This tool ships as a Keycloak SPI JAR plus a companion CLI that handles installation, configuration, and upgrade across Keycloak versions. Teams can declare which role attributes map to which claim names via a config file or admin-UI mapper panel, and the SPI injects those claims at token issuance time with no custom Java required from the operator. The CLI manages JAR deployment, version compatibility checks, and migration when Keycloak upgrades.

Demand Breakdown

GitHub
104

Social Proof 1 sources

GH
Map role attributes to token claims
@thomasdarimont · 2022-02-04
104

Gap Assessment

CompetitiveMultiple tools exist but differentiation opportunities remain

3 tools exist (, , )

Features7 agent-ready prompts

Role attribute to claim mapper SPI (Keycloak 24-26 compatible)
CLI installer and version compatibility checker
Declarative mapper config file
Admin UI mapper panel with per-role attribute browser
Upgrade migration path for Keycloak major version bumps
Multi-realm and multi-client scope support
Token claim output validation and test harness

Competitive LandscapeFREE

ProductDoesMissing

Leads20BUILDER

@thomasdarimont
@jschlyter
@KevinNaidoo
@Siedlerchr
@ecarlettiHC
@manfuin
@batressc
@frank-fegert
20 people already want this

Sign in to unlock full access.

Aggregate Score
104
20 leads found
Details
TypeProduct Idea
Competitors3
Features7
Issues1
Leads20
Source Signals
All signals →
104Keycloak cannot map role-level attributes into OIDC token claims after script mapper removal
Related Ideas
All ideas →
0A companion service that adds OIDC backchannel logout handling in front of oauth2-proxy0A web app that gives B2B SaaS teams a drop-in SAML SSO layer without enterprise pricing0A CLI tool that triggers Stripe webhook events bound to real account object IDs for faithful local testing
Tags
keycloakoidcspiprotocol-mapperrole-attributestoken-claimsidentityauthjavacli