[keycloak-user] Additional token claims dynamically set via login by external Id Provider

Matuszak, Eduard eduard.matuszak at worldline.com
Sun Mar 12 07:07:24 EDT 2017 

Hello Thomas

Thanks for the answer.
For the User Storage Provider managing the logins via Keycloak’s login mask, the code-snippet in the isValid-method shown below  allows to set a custom userattribute on each(!) login action with an actual value. And indeed via a client-specific user-attribute-mapper the attribute will be taken over as a claim-value into the token. So when enhancing the code snippet appropiately I am able to set a specific claim value of a token in a flexible and dynamic manner, for instance taking the the current timestamp or the current value of a database-entry. All is fine so far, but
when logging in via an Id-broker, the same is only possible when the user logs in for the first(!) time, when again the isValid-method of the User Storage Provider being involved does it’s work. Unfortunately any successive logins will skip the isValid-method. So my question targets the possiblility of “catching” all (successive) logins via an external ID broker, being able to manipulate the UserModel as we can do in the User Storage Provider isValid method.


From: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Sent: Friday, March 10, 2017 9:26 AM
To: Matuszak, Eduard
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Additional token claims dynamically set via login by external Id Provider

Hello Eduard,

do you set the attribute on the user? If so you could try to configure a custom user-attribute mapper for your client.
The mapper could then inject the attribute value into the token with the name provided in the mapper.

Cheers,
Thomas

2017-03-10 8:53 GMT+01:00 Matuszak, Eduard <eduard.matuszak at worldline.com<mailto:eduard.matuszak at worldline.com>>:
Hello Keycloak Team

For logins taking place via keycloak login mask, I am able to edit a user property "on the fly" in user-storage-provider's isValid-method and can add it into the token (after adding an appropriate mapper for the corresponding client):

    @Override
    public boolean isValid(RealmModel realm, UserModel user, CredentialInput input)
..
            List<String> attr_dyn_list = new ArrayList<String>();
            attr_dyn_list.add("attr_dyn_val");
            local.setAttribute("attr_dyn", attr_dyn_list);
..


Now I also want to set an additional claim dynamically into an access token when a user tries to log in (not only the first time) via an external Id Provider. Is there any hook I can override to do so or is this feature planned to be implemented in near future?

Best regards, Eduard Matuszak

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list