[keycloak-user] Loading extra claims from database

Amaeztu amaeztu at tesicnor.com
Thu Apr 13 03:03:33 EDT 2017


Hi! 

I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :

1. User logs in 

2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method 

3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise. 

4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured 

5. Get the info returned by the endpoint and add it as extra claims 

Nire Sony Xperia™ telefonotik bidalita

---- Mailing lists igorleak idatzi du ----

>Hi all,
>
>I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
>
>1 - after successful authentication have keycloak pull extra claims from the application database, somehow. This app database is postgres, for example.
>
>2 - have the application database update the jwt with extra claims using a shared key.
>
>I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
>
>
>Many thanks. Mark
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list