Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key โ†’
โ† Back to dashboard
clawsmith.com/signal/keycloak-role-attribute-mapper
โš  IssueWide Opendev_tool_cliLive

Keycloak cannot map role-level attributes into OIDC token claims after script mapper removal

Keycloak roles support arbitrary attributes (key-value metadata) but there is no built-in protocol mapper to include those attributes in OIDC ID tokens or userinfo responses. Script mappers that could implement this were removed in Keycloak 18+. The maintainer (stianst) explicitly stated they would not be against a community contribution but Keycloak core will not ship this natively. No packaged SPI extension exists on GitHub, Maven, or Docker Hub that adds a Role Attribute mapper type as a drop-in jar.

Product Idea from this Signal

A CLI tool and SPI extension that maps Keycloak role attributes into OIDC token claims automatically

104 โ–ฒ

Keycloak removed its built-in script mapper in version 18 citing security concerns, leaving teams who need role-level attributes surfaced as OIDC token claims with no supported path. The only third-party SPI that fills this gap (nexiles/keycloak-client-role-attribute-mapper) targets Keycloak 21 and has not been updated for Keycloak 25 or 26, which ship breaking SPI API changes. This tool ships as a Keycloak SPI JAR plus a companion CLI that handles installation, configuration, and upgrade across Keycloak versions. Teams can declare which role attributes map to which claim names via a config file or admin-UI mapper panel, and the SPI injects those claims at token issuance time with no custom Java required from the operator. The CLI manages JAR deployment, version compatibility checks, and migration when Keycloak upgrades.

keycloakoidcspiprotocol-mapperrole-attributestoken-claimsidentityauthjavacli
Competitive20 leadsView Opportunity โ†’

Score Breakdown

GitHub
104

Social Proof 1 sources

GH
Map role attributes to token claims
thomasdarimont ยท 2/4/2022
104

Gap Assessment

Wide OpenNo dedicated solution exists

Maintainer explicitly deferred to community contribution; script mappers removed in KC 18+ eliminated the workaround; no packaged SPI jar ships this; gap for a drop-in Keycloak SPI that adds Role Attribute protocol mapper

Virality Score
104
across 0 platforms
Details
Signalissue
Ecosystemdev_tool_cli
Sources1
Platforms0
Updatedunknown
Trendโ†’ stable
Top ideas
All ideas โ†’
0A web app and Figma plugin that binds relative line-height values to type-scale variables and keeps them in sync across a design system0A web app that pulls ClickUp logged time entries and renders a real capacity and overload view per person0A web app and API service that computes Jira agile metrics from the issue API and exposes velocity, burndown, and sprint report data via stable developer-facing endpoints