[keycloak-user] Add dynamically resolved token claim
Vagelis Savvas
vagelis.savvas at gmail.com
Tue Jan 22 03:04:38 EST 2019
To answer my own question, it is possible to use
authenticationSession.setUserSessionNote(...)
at the authenticator script and then access the session note, via
userSession.getNote(...), at the token mapper script.
Since the note is attached at the user session object it remains
available throughout the session's lifetime
so it is still there in subsequent invocations of the mapper script ,
such as when an access token is refreshed, etc.
Cheers,
Vagelis
On 13/01/2019 12:29, Vagelis Savvas wrote:
> Hello,
> I have an authenticator script and a mapper script and I would like to
> attach a piece of information
> during login in the authenticator script then retrieve it in the
> mapper script and set it as a token claim.
> (background: this piece of information originates from an extra input
> field of a custom login page and
> I want it to appear in the user's access token in order to
> differentiate users based on it).
>
> So, I can't use the user object to attach my info because its not
> fully reliable.
> What would work best is to use an object that is unique per
> authentication session and available in both scripts.
> The user object is both unique and available but is also a singleton.
>
> Thus I've tried via keycloakSession.setAttribute('myInfo', value) in
> auth script and then keycloakSession.getAttribute('myInfo')
> in mapper script but it doesn't work (why isn't the keycloakSession
> object the same in the two scripts?).
> I've also tried in auth script
> authenticationSession.setUserSessionNote('myInfo',value) and then
> userSession.getNote('myInfo')
> in mapper script but it doesn't work as well.
> Any further ideas on how to solve this in a reliable way?
>
> Cheers,
> Vagelis
More information about the keycloak-user
mailing list