[keycloak-user] customizing OIDC refresh token flow
Dmitry Telegin
dt at acutus.pro
Thu Jul 5 00:30:05 EDT 2018
Hi Ori,
AFAIK at the moment there are no extension points to hook into the
token refresh process. I'd suggest the following:
- if your JS frontend allows for alternate OIDC URLs, you could
implement a custom token endpoint by extending TokenEndpoint and adding
your logic;
- you could also try creating custom protocol mapper. Start with
creating a dummy one and test if it is indeed invoked upon token
refresh.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro
On Wed, 2018-07-04 at 11:47 +0000, Ori Doolman wrote:
> Hi,
>
> I'm looking for a way to customize the OIDC token endpoint:
> In OICD code flow, when getting a new access token using a refresh
> token, I want to call an external system and update a user attribute,
> such that the attribute value will be mapped to an attribute of the
> returned JWT access token.
>
> I think the relevant source code is here, but I didn't see a way to
> customize it using an SPI:
> https://github.com/keycloak/keycloak/blob/master/services/src/main/ja
> va/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
>
>
> The reason I need it is because we are working with an external
> identity provider, which returns an access token to us which is valid
> for only 15 minutes.
> The external access token is mapped to our JWT once the user logs in
> (we customized the authentication flow).
> Now I need a way that my JWT will always contain a valid external
> access token.
> Therefore, I thought we can fetch a new external access token every
> time we refresh our JWT.
>
> Or is there a better way to accomplish that?
>
>
> Thanks,
>
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
>
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list