Unable to authorize role from keycloak token

[Ludogo]

**krakend: docker image 2.9 **

Describe what are you trying to do:
I am trying to authorize some routes based on roles contained into JWT token.

Your configuration file:

{
  "$schema": "https://www.krakend.io/schema/krakend.json",
  "version": 3,
  "name": "xxxx - API Gateway",
  "timeout": "10000ms",
  "cache_ttl": "300s",
  "output_encoding": "json",
  "port": 8080,
  
  "extra_config": {
     "telemetry/logging":{
      "level": "INFO",
      "stdout": true 

     },
    "router": {
      "return_error_msg": true
    }
  },
  "endpoints": [
    {
      "endpoint": "/v1/arche/palette/{sscc}/info",
      "extra_config": {
        "auth/validator": {
          "alg": "RS256",
          "jwk_url": "http://keycloak:7080/realms/master/protocol/openid-connect/certs",
          "disable_jwk_security": true,          
          "operation_debug": true,
          "roles_key": "resource_access.wattfront-dev.roles",
          "roles": [
            "admin"
          ]
        }
      },
      "method": "GET",
      "output_encoding": "json",
      "backend": [
        {
          "url_pattern": "api/info/Get?sscc1={sscc}",
          "encoding": "json",
          "sd": "static",
          "method": "GET",
          "host": [
            "http://xxx.xxx.xxx.xx.fr"
          ],
          "disable_host_sanitize": false
        }
      ]
    }
  ]
}

Configuration check output:

Global settings
	Name: xxxx - API Gateway
	Version: 3
	Address: 
	Port: 8080
2 global component configuration(s):
- router
- telemetry/logging
1 API endpoint(s):
	- GET /v1/arche/palette/:sscc/info
	Timeout: 10s
	1 endpoint component configuration(s):
	- auth/validator
	Connecting to 1 backend(s):
		[+] GET /api/info/Get?sscc1={{.Sscc}}
		Timeout: 10s
		Hosts: [http://xxx.xx.xx.xx.fr]

0 async agent(s):
Syntax OK!

Commands used:
docker compose

gateway:
        image: 'devopsfaith/krakend:2.9'
        ports:
            - "8080:8080"      
        volumes:
            - ./:/etc/krakend/
        command: ["run", "-c", "/etc/krakend/krakend.json","-d"]
        networks:
            - keycloak_network

Logs:
gateway-1 | 2025/04/16 - 19:03:20.221 ▶ ERROR [ENDPOINT: /v1/arche/palette/:sscc/info][JWTValidator] Token sent by client does not have sufficient roles
gateway-1 | [GIN] 2025/04/16 - 19:03:20 | 403 | 45.442713ms | 172.23.0.1 | GET "/v1/arche/palette/poutipa/info"

** Token Info : **

{
  "exp": 1744830451,
  "iat": 1744830391,
  "jti": "f23a719c-3f03-41a7-8c90-42e13003455b",
  "iss": "http://localhost:7080/realms/master",
  "aud": "account",
  "sub": "cfb01609-c694-4dfe-aa1e-b6c8f6f28a6a",
  "typ": "Bearer",
  "azp": "wattfront-dev",
  "sid": "d1408c61-02de-45d1-84a0-5e84bb3434f0",
  "acr": "1",
  "allowed-origins": [
    "/*"
  ],
  "realm_access": {
    "roles": [
      "default-roles-master",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "wattfront-dev": {
      "roles": [
        "admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "email profile",
  "email_verified": false,
  "preferred_username": "user"
}

I don't understand why krakend returns 403 since roles_key has been set to roles' path within token.
What am i doing wrong ?

[Ludogo]

We have found the solution.
I missed this key roles_key_is_nested into auth/validator settings.
so now i have :

"auth/validator": {
          "alg": "RS256",
          "jwk_url": "http://keycloak:7080/realms/master/protocol/openid-connect/certs",
          "disable_jwk_security": true,          
          "operation_debug": true,
        "roles_key_is_nested": true,
          "roles_key": "resource_access.wattfront-dev.roles",
          "roles": [
            "admin"
          ]
        }