diff --git a/keycloak.yaml b/keycloak.yaml
index ee0968e..0f4ed34 100644
--- a/keycloak.yaml
+++ b/keycloak.yaml
@@ -43,6 +43,7 @@ services:
         - ./keycloak/keycloak-login.sh:/bin/keycloak-login.sh:ro
         - ./keycloak/entrypoint-setup.sh:/setup.sh:ro
         - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
+        - ./keycloak/mapper-setup.sh:/keycloak-setup/mapper-setup.sh:ro
         - ./data/keycloak/secrets:/run/secrets/keycloak-secrets:ro
       depends_on:
         - keycloak-db
diff --git a/keycloak/mapper-setup.sh b/keycloak/mapper-setup.sh
new file mode 100755
index 0000000..f0d1c4a
--- /dev/null
+++ b/keycloak/mapper-setup.sh
@@ -0,0 +1,22 @@
+#!/bin/bash -x
+# Turn on the userinfo for the roles/cient roles default protocol mapper.
+# this should be so much easier, but they don't have ways to do queries?
+# and they don't include jq in the keycloak container, so updating the JSON
+# it bangning the rocks together with sed and awk.
+
+die() { echo >&2 "ERROR: $@" ; exit 1 ; }
+
+SCOPE_ID=$(kcadm.sh get -r $REALM client-scopes --fields id,name --format csv --noquotes | awk -F, '/,roles$/ { print $1 }')
+if [ -z "$SCOPE_ID" ]; then die "no client scope" ; fi
+
+MAPPER_ID=$(kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models --format csv --noquotes | awk -F, '/,client roles,/ { print $1 }')
+if [ -z "$MAPPER_ID" ]; then die "no mapper defined" ; fi
+
+kcadm.sh get -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID \
+        | sed 's/"userinfo.token.claim" : "false"/"userinfo.token.claim" : "true"/' \
+        > /tmp/map
+
+cat /tmp/map
+
+kcadm.sh update -r $REALM client-scopes/$SCOPE_ID/protocol-mappers/models/$MAPPER_ID -f /tmp/map
+