Re: [keycloak-user] Add dynamically resolved token claim

To answer my own question, it is possible to use  authenticationSession.setUserSessionNote(...) at the authenticator script and then access the session note, via  userSession.getNote(...), at the token mapper script. Since the note is attached at the user session object it remains  available throughout the session's lifetime so it is still there in subsequent invocations of the mapper script ,  such as when an access token is refreshed, etc. Cheers, Vagelis On 13/01/2019 12:29, Vagelis Savvas wrote: > Hello, > I have an authenticator script and a mapper script and I would like to  > attach a piece of information > during login in the authenticator script then retrieve it in the  > mapper script and set it as a token claim. > (background: this piece of information originates from an extra input  > field of a custom login page and > I want it to appear in the user's access token in order to  > differentiate users based on it). > > So, I can't use the user object to attach my info because its not  > fully reliable. > What would work best is to use an object that is unique per  > authentication session and available in both scripts. > The user object is both unique and available but is also a singleton. > > Thus I've tried via keycloakSession.setAttribute('myInfo', value) in  > auth script and then keycloakSession.getAttribute('myInfo') > in mapper script  but it doesn't work (why isn't the keycloakSession  > object the same in the two scripts?). > I've also tried in auth script  > authenticationSession.setUserSessionNote('myInfo',value) and then  > userSession.getNote('myInfo') > in mapper script  but it doesn't work as well. > Any further ideas on how to solve this in a reliable way? > > Cheers, > Vagelis _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user