Hello Thomas Thanks for the answer. For the User Storage Provider managing the logins via Keycloak’s login mask, the code-snippet in the isValid-method shown below allows to set a custom userattribute on each(!) login action with an actual value. And indeed via a client-specific user-attribute-mapper the attribute will be taken over as a claim-value into the token. So when enhancing the code snippet appropiately I am able to set a specific claim value of a token in a flexible and dynamic manner, for instance taking the the current timestamp or the current value of a database-entry. All is fine so far, but when logging in via an Id-broker, the same is only possible when the user logs in for the first(!) time, when again the isValid-method of the User Storage Provider being involved does it’s work. Unfortunately any successive logins will skip the isValid-method. So my question targets the possiblility of “catching” all (successive) logins via an external ID broker, being able to manipulate the UserModel as we can do in the User Storage Provider isValid method. From: Thomas Darimont [mailto:thomas.darimont@googlemail.com] Sent: Friday, March 10, 2017 9:26 AM To: Matuszak, Eduard Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Additional token claims dynamically set via login by external Id Provider Hello Eduard, do you set the attribute on the user? If so you could try to configure a custom user-attribute mapper for your client. The mapper could then inject the attribute value into the token with the name provided in the mapper. Cheers, Thomas 2017-03-10 8:53 GMT+01:00 Matuszak, Eduard <eduard.matuszak@worldline.com<mailto:eduard.matuszak@worldline.com>>: Hello Keycloak Team For logins taking place via keycloak login mask, I am able to edit a user property "on the fly" in user-storage-provider's isValid-method and can add it into the token (after adding an appropriate mapper for the corresponding client): @Override public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) .. List<String> attr_dyn_list = new ArrayList<String>(); attr_dyn_list.add("attr_dyn_val"); local.setAttribute("attr_dyn", attr_dyn_list); .. Now I also want to set an additional claim dynamically into an access token when a user tries to log in (not only the first time) via an external Id Provider. Is there any hook I can override to do so or is this feature planned to be implemented in near future? Best regards, Eduard Matuszak _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user