New Keycloak Realm not providing roles for app login

Question

I'm working on setting up Keycloak to be my auth provider, using OIDC. My app is written using Quarkus.

I am creating a new realm using the following steps:

1. Enter Keycloak Admin Console
2. Under realm dropdown, hit "Create Realm". Name it oqm.
3. Realm Settings -> General
   1. Realm ID changed to oqm
   2. Display name and HTML Display name set to Open QuarterMaster
   3. User-managed access turned on
   4. Hit "Save"
4. Realm Settings -> Login. Turn on:
   • User Registration
   • Forgot Password
   • Remember Me
   • Email as Username?
   • Edit Username
5. Authentication -> Policies -> Password Policy. Add the following policies:
   • Minimum Length of 8
   • Not username
   • Not email
   • Special chars
   • Uppercase letters
   • Lowercase letters
   • Digits
6. Create Client
   1. Clients -> Create Client
   2. Client id: oqm-app
   3. Name: Open QuarterMaster App
   4. Always display in UI
   5. Client authentication on
   6. "Standard flow", "Direct access grants", "Implicit flow", and "Service Account Roles" all on
   7. Valid redirect URIs: *
   8. Valid post logout redirect URIs: +
   9. Create
7. Add roles
   • inventoryAdmin -> Role to enable inventory administration. Can import/export inventory data.
   • inventoryView -> Role to enable viewing inventory.
   • inventoryEdit -> Role to enable editing inventory.
   • itemCheckout -> Role to enable checking out (and back in) items.
8. Add groups with roles:
   • users
     • inventoryView
     • inventoryEdit
     • itemCheckout
   • admins as child group of users
     • inventoryAdmin
9. Realm Settings -> User Registration -> Default Groups
   1. Add admins to default group (I have also tried adding all roles as default)

However, when I create a user and login, the app returns a 403, with the following log output:

12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 ]():: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'

It seems to me that the roles never make it into the jwt? I am modeling my realm after the one provided by Quarkus' keycloak dev service, which works when I add the roles required to the users provided there.

Content of "KEYCLOAK_IDENTITY" from jwt.io:

{
  "exp": 1691800027,
  "iat": 1691764027,
  "jti": "ef4a49f0-db0d-49f8-a2a2-36bd35cdb4ef",
  "iss": "http://localhost:32769/realms/oqm",
  "sub": "a1f2f54d-35b9-4e94-b673-0fbec79d7c33",
  "typ": "Serialized-ID",
  "session_state": "08730e5a-7f3b-4731-8062-c0083bfef614",
  "sid": "08730e5a-7f3b-4731-8062-c0083bfef614",
  "state_checker": "5F2Y4AL-QC1KUOwTLBXEGK_ZrHdlq9na6d0_joCJTaQ"
}

I would think I should see username/email/name as well as roles, but none are present? This is the only cookie that resembles a jwt, except maybe q_session*, but it is split up. I am wondering about the "two token" thing, I was expecting to see two jwt's, one identity and one auth?

I can obviously sign in fine, as going to keykloak's account page shows my user's info, just not have the right info passed to my app in the tokens.

Answer 1

Figured it out, needed to: Clients -> oqm-app -> Client Scopes, set microprofile-jwt to "default".

More detail on the thought process, though I basically needed to compare the two realm json's to figure it out: https://github.com/keycloak/keycloak/discussions/22398