Token generated don't have realm_access claim

[masalinas]

My Keycloak 20.0.0 container start correctly from my export realm, I added a user manually. I login witht his user and get a token, but when use this token to test an endpoint authorized by role, spring security parse the token inside and obtain an error because don't exist the claim realm_access.

If I login to my original keycloak this claim exist inside the token issued, but he container with keycloak generated by your library not. Exist some configuration to add to obtain a token with this claim inside?

This is the token generated by your keycloak cotainer generated in test mode:

  "exp": 1670881412,
  "iat": 1670881112,
  "jti": "f91f4a99-f795-45cc-949e-d45f680b7dab",
  "iss": "http://localhost:49217/realms/productland",
  "aud": "account",
  "sub": "cfb013e6-3fea-4b6e-82b2-9db8c45c3b64",
  "typ": "Bearer",
  "azp": "productland-portal",
  "session_state": "bd504613-aeae-4d7d-944f-e2d247c288d5",
  "acr": "1",
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "MANAGER",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "sid": "bd504613-aeae-4d7d-944f-e2d247c288d5",
  "email_verified": false,
  "name": "Manager ProductLand",
  "preferred_username": "manager",
  "given_name": "Manager",
  "family_name": "ProductLand",
  "email": "[email protected]"
}

This is the token genereted by my original keycloak. You will see this claim realm_access inside with my role MANAGER

{
  "exp": 1670880290,
  "iat": 1670879990,
  "jti": "b7206deb-1a3c-479b-ac25-0cd460ff0089",
  "iss": "http://localhost:8080/realms/productland",
  "aud": "account",
  "sub": "e16e43ef-b116-49ca-b22e-62f7322d4354",
  "typ": "Bearer",
  "azp": "productland-portal",
  "session_state": "9ee70ef2-8912-4af7-83e5-e69901e328be",
  "acr": "1",
  "realm_access": {
    "roles": [
      "default-roles-productland",
      "offline_access",
      "MANAGER",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "sid": "9ee70ef2-8912-4af7-83e5-e69901e328be",
  "email_verified": false,
  "name": "Manager ProductLand",
  "preferred_username": "manager",
  "given_name": "Manager",
  "family_name": "ProductLand",
  "email": "[email protected]"
}

[dasniko]

There's most probably a difference in the configuration of your "original" Keycloak and the realm export you are importing on startup in the testcontainer. Most likely it's the scope configuration of the used client, as the scope config is responsible which roles are mapped into the token, but it may be that it's another setting in your Keycloak environment.

The container used by this testcontainer extension does not differ from the original Keycloak container, as it is the same. The code contained in this library is just for managing and being able to configure the container. So, the code of this library does not do generate different configuration, as the configuration is coming directly from your imported realm file.

[masalinas]

Finally I resolved my problem, updating the data of my users inside the file imported by testcontainer like this:

{
      "username": "premium",
      "email": "[email protected]",
      "firstName": "Premium",
      "lastName": "ProductLand",
      "enabled": true,
      "credentials": [
        {
          "type": "password",
          "value": "password"
        }
      ],
      "realmRoles": [
      	"PREMIUM"
      ],
      "clientRoles": {
        "account": [
          "view-profile",
          "manage-account"
        ]
      }
    }

As you say, the problem come from the keycloak export file used. I added the realmRoles attribute to all users, because this atribute is used by the security validator like

@PreAuthorize("hasAnyRole('MANAGER', 'PREMIUM', 'REVIEWER', 'USER')")

and not the clientRoles, so adding these roles inside the keycloak json export everythin my test now works ok

Regards