Authorization by role on JWT


I did an integration with Keycloak ( with Tyk CE) and its working fine but now i wanna do authorization by role.

My OpenId options on api is:

openid_options": {
  "providers": [
      "issuer": "******************************",
        "client_ids": {
         "YXBwMQ==": "123456789"
 "segregate_by_client": false

Part of Token with roles:

"realm_access": {
  "roles": [

Is it possible? How can i do?

Marcos Oleiro

anyone can help me with this?!

Hi @Marcos-Oleiro, we’re currently looking at this for you - we will get back to you as soon as we can!


So, no news about it?

Hi @Marcos-Oleiro

I think this is what you are looking for.

The thing is, you might need to change your keycloak settings to output the roles as space separated strings, rather than returning in an array format.

"realm_access": {
  "roles": [

can you change this to?

"roles": "usuario otherrole anotherrole"
1 Like

Hello @ahmet,

Thanks for the answer! I’m trying this atm, is it possible to do this configuration on Keycloak? I’ll search it, i was trying using dot notation, like realm_access.roles.

  "jwt_scope_to_policy_mapping": {
      "adm": "987654321"
  "jwt_scope_claim_name": "realm_access.roles",

I’ve had a play - and I managed to convert it to an Array

 "custom_roles": [

Using a user realm role mapper. But i can’t work out yet how to convert it from array to a space separated string.

I think we need it to be like scopes.

 "custom_roles": "offline_access foo uma_authorization"

Got it, i will look around and if i find something usefull i put it here, can you do the same if you find something? Thanks!

Of course

Also, by turning off multivalued switch, I can get:

"custom_roles": "[offline_access, foo, uma_authorization]",

If this fails for you, you can always take the claim, inject it into a header, then create a post-authentication plugin which validates the claims and you perform your authorization logic inside the plugin.

Here is an example integrating Open Policy Agent - and using that for Authorization: tyk-go-plugins/authorize_opa at master · asoorm/tyk-go-plugins · GitHub