Issues with transferring Keycloak Groups to Opal

[IvoLeist]

Hello Opal Team,

its me once again,

since Posgres and Keycloak is now working we want to investigate further if we want
to use Opal for the web application I am building right now.

Thank you for being so helpful and responsive so far :)

An additional requirement for us is to have the groups defined in Keycloak in Opal

I followed the tutorial on http://opaldoc.obiba.org/en/latest/web-user-guide/administration/identity-providers.html
and added a Groups Mapper in Keycloak:

"protocolMappers": [
        {
          "id": "b0c5a2c5-67ad-4fd5-bbe7-daafce105011",
          "name": "Group-membership-mapper",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-group-membership-mapper",
          "consentRequired": false,
          "config": {
            "full.path": "true",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "groups",
            "userinfo.token.claim": "true"
          }
        }
],

Testing it with:

  curl -d 'client_id=opal' -d 'username=test' -d 'password=test' -d 'grant_type=password' -d 'client_secret=<secret*>' 'http://localhost:8080/auth/realms/opal/protocol/openid-connect/token' | jq '.access_token' | xargs jwt --decode | jq

I could confirm that it works.

However, in Opal the group remains empty for my test user?

[IvoLeist]

Ok I figure it out

If someone stumbles about that issue:
close Opal and docker-compose restart opal
(see my fork for a working example)

Since this does not seem to be a docker issue but a general problem (obiba/opal#3531)
Is there any workaround which does not require a opal restart?