I have the same problem (Keycloak roles are not provisioned in XWiki), and do not have the line commented out:
I’m using oidc.groups.claim=realm_access.roles.
The token provided by Keycloak looks like this (xwiki_groups is a mapper which acts as a working backup with oidc.userinfoclaims):
{
"exp": XXX,
"iat": XXX,
"jti": "XXX",
"iss": "https://keycloak.XXX.XX/auth/realms/XXX",
"aud": "account",
"sub": "xxx",
"typ": "Bearer",
"azp": "xwiki.XXX",
"session_state": "XXX",
"acr": "1",
"allowed-origins": [
"https://xwiki.XXX"
],
"realm_access": {
"roles": [
"role_1",
"role_2",
"admin"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"sid": "XXX",
"email_verified": true,
"address": {},
"name": "XXX",
"preferred_username": "XXX",
"given_name": "XXX",
"xwiki_groups": [
"role_1",
"role_2",
"admin"
],
"family_name": "XXX",
"email": "XXX"
}
If I use oidc.userinfoclaims and add xwiki_groups as a value, everything works as expected. However, a mapper must be created in the Keycloak client e.g., as follows (and thanks to Jonas’ hint):
- Name: xwiki_groups (doesn’t matter)
- Mapper Type: User Realm Role
- Multivalued: ON
- Token Claim Name:
xwiki_groups(or however you named the value in thexwiki.preferencesfile) - Claim JSON Type: String or keep Select
- Add to
*selectors all set to ON