AFAIK at the moment there are no extension points to hook into the
token refresh process. I'd suggest the following:
- if your JS frontend allows for alternate OIDC URLs, you could
implement a custom token endpoint by extending TokenEndpoint and adding
- you could also try creating custom protocol mapper. Start with
creating a dummy one and test if it is indeed invoked upon token
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
On Wed, 2018-07-04 at 11:47 +0000, Ori Doolman wrote:
I'm looking for a way to customize the OIDC token endpoint:
In OICD code flow, when getting a new access token using a refresh
token, I want to call an external system and update a user attribute,
such that the attribute value will be mapped to an attribute of the
returned JWT access token.
I think the relevant source code is here, but I didn't see a way to
customize it using an SPI:
The reason I need it is because we are working with an external
identity provider, which returns an access token to us which is valid
for only 15 minutes.
The external access token is mapped to our JWT once the user logs in
(we customized the authentication flow).
Now I need a way that my JWT will always contain a valid external
Therefore, I thought we can fetch a new external access token every
time we refresh our JWT.
Or is there a better way to accomplish that?
Lead Software Architect
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer
keycloak-user mailing list