Roles-claim from userinfo enpoint

I’m trying to get the usergroup from the userinfo endpoint with openid auth.
But unfourtantely it does not work . I can see this in the log: “No roles claim with name entitlement_group found”
When calling the userinfo-endpoint with Postman I can retrieve all needed information.
Am I missing something in my config, any help is appreciated.

My application.yml:

 title: MyApp
 landing-page: /
 heartbeat-rate: 10000
 heartbeat-timeout: 60000
 port: 6688
 authentication: openid
   auth-url: https://my-url/as/authorization.oauth2
   token-url: https://my-url/as/token.oauth2
   jwks-url: https://my-url/pf/JWKS
   userinfo-url: https://my-url/idp/userinfo.openid
   client-id: hidden
   client-secret: hidden
   scopes: ["openid", "entitlement_group", "offline_access"]
   roles-claim: entitlement_group

          auth: DEBUG


What framework do you use to do OpenID ?
For example i’m using Keycloak, and i’m able to get user group.
For that you have to go to client scopes > client-dedicated > add mapper by configuration > choose group Membership > give name “entitlement_group” and Token Claim Name “entitlement_group”

That’s it, hope this help

Hey @adanba,
thanks for your answer.
I already checked the userinfo-endpoint by calling it via Postman and the mentioned claim is already part in the answer.
So my desired claim “entitlement_group” is not available via the ID Token but only retrieveable at the userinfo endpoint.
Thanks for your support


I ran into the same problem, and I think I found the code responsible: It looks like the containerproxy code only looks at the OIDC ID Token when it searches for the roles claim.

I reported this on the GitHub as issue openanalytics/containerproxy#85.

1 Like

Hi, thank you all for reporting this issue! I just implemented this and it will be included in the next release, which will be available soon.

1 Like