it’s a bit hard to give an analysis based on the given configuration (with a lot of obfuscated urls).
One thing that comes to mind. Did you do the additional configuration to make the redirect work on a local environment? (The hostfile modification)
To complete @hegde89’s answer, you should value the spring.security.oauth2.client.registration.keycloak.scope with openid,email,profile,microprofile-jwt
Explanation:
The recommended configuration is to set the flowable.common.app.security.oauth2.authorities-attribute value to groups.
Without any additionnal scope provided, the only ones returned would be openid,email,profile.
In these scopes, there is no mapper to map the User Realm Role to a groups attribute in the access token (the roles are mapped to a realm_access.roles claim). I tried to replace the groups value with realm_access.roles but this hierarchical notation doesn’t work with the flowable attribute flowable.common.app.security.oauth2.authorities-attribute
So your only choices are :
to target a scope with a already builtin mapper to provides roles in the groups claim (this is the builtin microprofile-jwt scope)
or to add a specific custom mapper in your client configuration in the keycloak server. In this case, you don’t have to add spring.security.oauth2.client.registration.keycloak.scope to your flowable configuration
I suggest the scope usage, I think it’s cleaner since you could have several flowable application configured as different clients in keycloak