From 1e01d7cddba4f40955334c4b74a42b43a3d2e12e Mon Sep 17 00:00:00 2001 From: Philipp Date: Tue, 28 Jan 2025 20:41:21 +0100 Subject: [PATCH] docs: How to sync groups --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index d580f5b..120331d 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,12 @@ Change the Postgres and Keycloak version in your `.env` file and run `docker com The Keycloak configuration is not quite straight forward, which is why the following section contains some configuration examples. It is recommended to create a custom realm first instead of simply using the master realm. +## Map groups to OIDC claims + +To handle authorization centrally, groups can be created and assigned directly in Keycloak. Those groups are not sent to the OIDC client by default. To enable such functionality, create a new client scope named `groups`. For this scope, add a new mapper ('By Configuration') and select 'Group Membership'. Give it a descriptive name and set the token claim name to `groups`. + +For each client that relies on those group, explicitly add the `groups` scope to client scopes. The groups will now be sent to client upon request. + ### Enforcing 2FA In the realm management console under `Authentication > Required Actions` certain actions can be enabled and set to be the default action. Useful defaults might be to enforce `Configure OTP`, `Update Password`, `Update Profile` and `Verify Email`.