Hi everyone,

we are trying to setup our Liberty as an OpenID Connect Client roughly following this http://www.ibm.com/developerworks/websphere/library/techarticles/1502_odonnell/1502_odonnell.html example and the documentation here: https://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/rwlp_config_openidConnectClient.html

The OpenID Connect Provider we are using is keycloak. We successfully got authentication with token introspection working. What we are struggling with right now is the use of the group identifier. In the tokens issued by keycloak, the users groups are in the following structure:

"realm_access": { "roles": [ "xxx","yyy" ] }

The groupIdentifier in the server.xml would therefore need to be something like realm_access.roles or similar. So far we tried realm_access.roles, realm_access[roles], realm_access, roles, .realm_access.roles - nothing worked!

Our question therefore is: How do we correctly specify a nested claim / sub claim / nested json identifier as the group identifier in our open id connect clients configuration within server.xml?

Thanks in advance for your help!