Existing Organization Mapper in default Client Scope not in JWT in 26.2.5 #40670
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
organizations
Describe the bug
An existing/custom default Client Scope organization:* with Mapper organizations no longer displays organizations in the JWT. Even if I add it as organizations scope it does not show.
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
When I add a default Client Scope with a Mapper listing Organization Membership named organizations then the organizations should show in the JWT.
Actual behavior
When I add a default Client Scope organizations with a Mapper listing Organization Membership named organizations then the organizations does not show in the JWT.
How to Reproduce?
Add a default Client Scope organizations with a Mapper listing Organization Membership named organizations and see that the organizations does not show in the JWT.
Anything else?
With Keycloak 26.1.0 I was able to add an organization:* default Client Scope having a Mapper with token name organizations displaying Organization Membership as a JSON map. Somewhere between that version and 26.2.5, the organizations stopped showing up in the JWT even though the scope clearly says organization:*: "scope": "openid profile email organization:*",. The Client Scope and the Mapper follow.
Adding the same Client Scope and Mapper to a fresh local install of 26.2.5 also does not show organizations in the JWT when it is a default scope. Even if I name it organizations as a new default scope (instead of organization:*) it does not show. However, if I use the existing/standard/out-of-the-box organization scope, and update that mapper to be JSON and multivalued, and request the organization:* scope, then I get the expected map but under organization in the token.
It feels there is some kind of magic with the word organization going on.
The approach was from #33556 (comment).
The issue on our side is PhilanthropyDataCommons/auth#57.
This differs from #39402 and several others in that I do not see any organizations in the JWT at all, not only when a member of multiple.
On the bright side, I think organization, the default one, works a little more like I would have expected originally 😃 .