Dev Tools · 5h ago
Fix Keycloak roles in Spring Security with custom JWT converter
Spring Security's default JWT converter ignores Keycloak's role structure, causing @PreAuthorize checks to fail silently. Keycloak stores roles in realm_access.roles and resource_access claims, not the scope claim Spring expects. Developers must write a custom converter to map these roles to GrantedAuthority objects.
Meridian48 take
This is a common integration pitfall that the ecosystem should address with better defaults or documentation.
Read the full reporting
Your Keycloak roles aren't working in Spring Security. Here's the actual reason. →
DEV Community
keycloakspring-security