I have been using the Token Mappers within a Client to map a set of Keycloak Group Memberships into an attribute in the Token, so the client application can grant appropriate access based on this. The groups are coming through as an array in the token, which works nicely.
I wanted to switch to using a "User Realm Role" mapper instead of "Group Memberships" because I can then set up automatic realm roles based on the identity source, which I can't
do with Groups.
My problem is, when I create a new User Realm Role mapper in the Client definition, the only types I can specify for the field are String, long, int or boolean. If I choose String, the list of roles comes through as a comma-separated String rather than an array in the JSON object. I'd rather not update all my clients to parse this - is there any way of getting keycloak to return the roles as an array rather than a string? Is this against the spec, or is there some other limitation I am not aware of that prevents this?
An email response from Marek is below on this:
I can see that AbstractUserRoleMappingMapper.setClaim is currently using Set<String> (not List<String>) and doesn't have any support for multivalued though, so yes, currently the UserRealmRoleMappingMapper always returns string with the roles divided by comma. You can create JIRA for this with steps to reproduce. It seems we will need to add flag like "Multivalued" to the protocolMapper configuration as some other users may rely on the old behaviour.