-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
organizations
Describe the bug
First, I do have "organization:*" in my scope.
I use an OAuth2 client (remix-auth-oauth2) to authenticate like this :
```
let strategy = new OAuth2Strategy(
clientId: OAUTH_CLIENT_ID,
clientSecret: OAUTH_CLIENT_SECRET,
authorizationEndpoint: OAUTH_AUTH_ENDPOINT,
tokenEndpoint: OAUTH_TOKEN_ENDPOINT,
redirectURI: http://localhost:5173${paths.callbacks.login},
tokenRevocationEndpoint: OAUTH_REVOCATION_ENDPOINT,
scopes: ["openid", "organization:*"],
},
async ({ tokens, request }) => {{code}
// here you can use the params above to get the user and return it
// what you do inside this and how you find the user is up to you
return await getUser(tokens, request);
}
))
```
I tried to change the client, same behavior:
The organization claim is inconsistently included in the JWT token returned by Keycloak, even when using the same scope parameters. This behavior is intermittent and does not follow a predictable pattern.
most of the time:
```
{
exp: 1732640581,
iat: 1732640281,
auth_time: 1732640281,
jti: 'something',
iss: 'http://localhost:8080/realms/test2',
aud: 'account',
sub: 'something',
typ: 'Bearer',
azp: 'something',
sid: 'something',
acr: '1',
'allowed-origins': [ 'http://localhost:5173' ],
realm_access: {
roles: [ 'offline_access', 'default-roles-test2', 'uma_authorization' ]
},
resource_access: { account: { roles: [Array] } },
scope: 'openid organization:* email profile organization',
email_verified: true,
organization: {
test2:
{ id: 'something' },
test3:
,
test:
}, name: 'First Last', preferred_username: 'test', given_name: 'First', family_name: 'Last', email: 'test@example.com' } ``` Sometimes: ``` { exp: 1732640594, iat: 1732640294, auth_time: 1732640294, jti: 'something', iss: 'http://localhost:8080/realms/test2', aud: 'account', sub: 'something', typ: 'Bearer', azp: 'nest-app', sid: 'something', acr: '1', 'allowed-origins': [ 'http://localhost:5173' ], realm_access: {
roles: [ 'offline_access', 'default-roles-test2', 'uma_authorization' ]
},
resource_access: { account:
},
scope: 'openid email profile organization organization:*',
email_verified: true,
name: 'First Last',
preferred_username: 'test',
given_name: 'First',
family_name: 'Last',
email: 'test@example.com'
}
```
It appears really randomly, like one time out of 20.
The only things who seem to be different is the order in scope :
- For working requests : 'openid organization:* email profile organization'
- For non working requests: 'openid email profile organization organization:*'
Thanks a lot for your help ! 
Version
26.0.0
Regression
[ ] The issue is a regression
Expected behavior
The organization claim should consistently appear in the JWT token if the request and configuration are unchanged and good scope.
Actual behavior
The organization claim appears intermittently in the response token, even when the request and Keycloak configuration remain the same.
How to Reproduce?
see above
Anything else?
No response
- links to
