Best way to propagate AMR claims served by external identity provider?

Hello, here is the use case : in our client app we need to react to the amr claim provided by Keycloak. We have no problem to get this claim when the user authenticates throught the standard browser flow. But when the user chooses to authenticate through a brokered OIDC identity provider, the amr claim provided by the idp is in the token provided by the idp to keycloak but it is not in the token provided by keycloak to the client app.

For the authentication via standard flow, we’re using the built-in “Authentication Method Reference (AMR)” protocol mapper (no problem here). But what would be the best way to handle the propagation of amrcoming from the idp ?

We already have a custom SPI for the idp, so we are able to modify its code if necessary, but I’m not sure it is not the right place to implement what we need.
My first idea was to use a ClaimToUserSessionNote idp mapper to store the idp amr claim in the session notes, and then add a UserSessionNoteMapper to the client scope where we already have the built-in AMR protocol mapper.

Some members of the team think we should handle this in the SPI code (even if they can’t explain why …) but I feel my idea is a better practice (as I use built-in mecanism instead of coding custom ones).

Any opinions ? or other ways to propagate amr list coming from idp ?

I think I’ve done that already some time ago like you described with a ClaimToUserSessionNoteMapper and an UserSessionNoteMapper. AFAIR this did the trick. I don’t know why I should add custom code for this.

Thanks @dasniko , it conforts me in my solution. I’ve tested it and yes it does the trick.
Your post will be a great support for me to convince my team (I’ll make them grab themselves coffees )

Thanks, it’s appreciated!

The best code I have to maintain is no code.

For information, after testing in a real context (with arm provided by idp, as a list) my solution wasn’t working because the ClaimToUserSessionNoteMapper only handles claims as String, not as List.
Adding a custom idp mapper to our custom idp (called it AmrClaimToUserSessionNoteMapper) did the trick. We didn’t have time to make the built-in mapper compatible with List, that’s why our mapper only handles the amr claim for now.
Hope I can find time to work on this later and submit a PR to keycloak.