I'm using rust openid to authenticate against a Keycloak instance.
I would like to use client roles that should be represented in the access token.
The roles are mapped correctly, and the access token generated by Keycloak contains the roles.
So far I have been unable to extract those roles from the token.
Neither the default claims nor UserInfo can be used to extract such additional roles information or other custom claims.
Of course I could decrypt the RSA access token manually and extract the information, although I'm not 100% sure on how to do this, but I'm pretty sure there has to be an easier way than this, right?
I think Keycloak is providing roles only when your request contains roles as part of your scopes. Try to use something like "openid email profile roles" as scope.
I might be very wrong but IIRC there are options in Keycloak to provide some scopes in Identity tokens, in that case they won't be provided in access tokens.
Do you have an example in other language which works? It might be that the Keycloak needs configuring in which case the question might be more suitable for the Keycloak chat.