[keycloak-dev] Putting a value into a custom Protocol mapper

I'm trying to have a custom protocol mapper provide a serialized Kerberos ticket as a claim I have updated the KerberosUsernamePasswordAuthenticator so that it gets the ticket public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); serializedKerberosTicket = serializeTicket(); logger.debug("Principal " + principal + " authenticated succesfully"); return loginContext.getSubject(); } private String serializeTicket() { KerberosTicket kerberosTicket = loginContext.getSubject() .getPrivateCredentials(KerberosTicket.class) .stream().findFirst().get(); try (ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos)){ oos.writeObject(kerberosTicket); return Base64.getEncoder().encodeToString(bos.toByteArray()); } catch (IOException e) { logger.error("Kerberos ticket serialization failed", e); return null; } } I reviewed the SPNEGOAuthenticator and traced it's execution to see how it adds the Kerberos ticket and I do not see that as a workable approach as it is so different from the Kerberos User/Password authenticator. Where can my custom KerberosUsernamePasswordAuthenticator put the serialized ticket so that my custom protocol mapper will get it and add it as a claim on my Access token? I have looked and googled with no luck.