Filtering on claims with array like Require claim realm_access.roles:XXX drives me to an issue

[nadenislamarre]

Hi,

in version 2.4.16.7,

i'm trying to make a "simple" filter using :
Require claim realm_access.roles:XXX
And i can't make it to work.

I tried with a simple string and it works.
{
...
"realm_access": {
"roles": [
"ROLE_A",
"ROLE_B",
...
],
"name": "Jason",
...
}

I enabled :
LogLevel auth_openidc:debug

And found that in my encrypted token in the logs, i've realm_access.roles values, but as soon as it is readable in the log, realm_access and apparently, any array is removed. Only plain values seems to remain, explaining why it is working.

I tried to play with
OIDCRequestObject "{ "copy_from_request": [ "claims", "realm_access", "roles" } ]"
OIDCWhiteListedClaims preferred_username realm_access

and blacklist, but no success.

In the log for example, all values are here but arrays like roles.
oidc_util_json_merge: result dst={"sub":....}

Can you drive me on a solution please ?
It seems that it is working : in the documentation + on some posts here on very very similar things.

[nadenislamarre]

related to "add to user info" about realms in keycloak config.
so, most something i dont get yet while the info is in the token.
but it comes from my low understanding of openid.

[zandbelt]

please provide the logs

[nadenislamarre]

in fact i understand now that user information are taken from the the userinfo api and not from the token.
i don't find how to configure it, but it's better to open an other discussion for that.
maybe i miss understand the doc on this point.
i will search first if that's feasable.