Option to merge roles rather than overwrite

[brendanarnold]

Setting resource_access.my_client_name.roles as the Token Claim Name results in the other roles for other clients being overwritten - it would be good to have an option to merge the objects rather than overwrite.

As an example, here is the JWT without the external-claim-mapper plugin, you can see there are roles for the account client...

{
  // ... start of token
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  // ... rest of token
}

After enabling external-claim-mapper with Token Claim Name set to resource_access.my_client_name.roles you can see that the roles for account are overwritten and so lost.

{
  // ... start of token
  "resource_access": {
    "my_client_name": {
      "roles": [
        "admin:1"
      ]
    }
  },
  // ... rest of token
}

There might be a use case for completely overwriting the roles so this might not be default behaviour but it should probably be an option?

[zloom]

Thank you — just to confirm I understood your point correctly:

When the Token Claim Name is set to something like resource_access.my_client_name.roles, the plugin treats it as an explicit instruction to set that path. As a result, the entire resource_access object is replaced with a new one that only contains my_client_name, and any existing entries like resource_access.account are lost.

This is currently the expected behavior, since the plugin doesn't merge — it simply overwrites the specified path.
However, I completely agree this could be improved, and we could introduce an optional merge flag to preserve existing claims and avoid unintentional data loss.

I have two ideas for solving this:

1. Log a warning if there's already data at the specified JSONPath. That way, at least the developer is aware that something is being overwritten.
2. Add a merge mechanism, possibly with a configuration flag or strategy enum (replace, merge, skip) to control how the value is applied.

[brendanarnold]

Exactly - love the idea of choosing a merge strategy. So for example I could select e.g. merge as the strategy and get the following result

{
  // ... start of token
  "resource_access": {
     "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    },
    "my_client_name": {
      "roles": [
        "admin:1"
      ]
    }
  },
  // ... rest of token
}

Logging is a good shout too if values are being overwritten although you may want to consider if this is more 'info' level since with an merge strategy of 'replace' you are explicitly asking for this behaviour and you might not want to fill the logs with noise.