Keycloak’s built-in Group Membership Token Mapper only includes direct user groups, not child groups.
If you want child groups included in the JWT, the easiest approach is to:
Include only direct groups in the token (using the default mapper).
In your backend, call Keycloak’s Admin REST API to fetch each group’s child groups recursively.
Combine them to get the full group hierarchy for your user.
This way you keep tokens simple and handle hierarchy logic where it’s easier to maintain and customize.