I've been testing the anization feature with multiple anizations for a single user. However, when there are two anizations assigned to a user, the claims disappear from the access token. But if I assign only one anization to the user then the claims 'anization' appear correctly. Is there a current limitation of the feature ?

Else do you have any ideas on how to generate a dedicated access token for a specific anization ?

I've been testing the anization feature with multiple anizations for a single user. However, when there are two anizations assigned to a user, the claims disappear from the access token. But if I assign only one anization to the user then the claims 'anization' appear correctly. Is there a current limitation of the feature ?

Else do you have any ideas on how to generate a dedicated access token for a specific anization ?

• keycloak
• anization

Share Improve this question Follow asked Nov 18, 2024 at 19:06 SébastienSébastien 50755 silver badges1111 bronze badges 3

• Can you share "the claims disappear" situation with two anizations example? – Bench Vue Commented Nov 18, 2024 at 19:10
• Did you find a soltion to this? – Ibrahim Commented Nov 27, 2024 at 17:54
• Check solution in: github/keycloak/keycloak/discussions/35581 – Kelvin Santiago Commented Dec 5, 2024 at 4:29

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

I managed to get this working on Keycloak 26.1.4 by adding a mapper to the anization:* client scope.

I created a client scope called anization:*

Client Scope Fields

I then configured a new mapper for anization:* and chose Organization Membership for the mapping:

Client Scope Mapping Fields

I then added anization client scope as an optional type to my client, and anization:* as a default type.

Once I did this, the Organization claim appears in my access token, and multiple anizations display if my users belongs to multiple anizations.

You need to create a new claim with the name anization:* and turn on Include in token scope.

Assign this client scope to your client and set it as the default. Also, set the anization client scope as optional in your client.

It's working for keycloak 26.0.8, but right know latest version (26.1.3) is not working as expected as far as I can see.