We have a set of custom claim which are added in the access token using overridden method transformAccessToken() in the custom token mapper class. Custom protocol mapper has also been added.
This custom claims are displaying in the access token correctly. But, post expiration of access token, it is re-generated using refresh token. In the new access token, custom claims are missing.
The AbstractOrganizationMapper in that directory has the setClaim methods, and you’ll have to look in the 2 subclasses for examples of how to create the claim object.
There are also loads of example in the Keycloak GitHub. Just search for classes that extend AbstractOIDCProtocolMapper and you’ll find them.
I tried to use the setClaim() method as you suggested but it is not getting called when we are trying to generate access token using refresh token.
I can explain you the issue from start,
During initial authentication or login, we are generating access token and adding custom claims in isValid() method by setting attributes in the keycloakSession.
But, while generating new access token using refresh token we are getting all these custom attribute values as NULL as keycloak will generate new session for each request.
Due to this, we are struggling to get the custom claims in the access token in the second request.
Do you have any idea what can be used to set these custom attributes so that it can be used for all the subsequent requests for same user?
We tried using userSession but it is not working as expected? If you have idea about userSession for setting custom attributes, please share.
Below is how we are using setClaim method,
String attribute1 = (String) keycloakSession.getAttribute(attribute1);
.
.
.
at end we are doing,
OIDCAttributeMapperHelper.mapClaim(accessTokenResponse, mappingModel, claimMap);
The mapClaim method uses accessTokenResponse or idToken, so do you know how this will be used? do we need to set accessTokenResponse or idToken during first login?
OIDCAccessTokenMapper : To add a custom claim in the Access-token
OIDCIDTokenMapper : To add a custom claim in the ID-token
*/
public class TSTokenMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper {
private static final Logger log = LoggerFactory.getLogger(TSTokenMapper.class);
public static final String TS_PROTOCOL_PROVIDER_ID = “custom-protocol-mapper”;
private static final String DEFAULT_CONFIG_VALUE = “TS User Claim”;
private static final List configProperties = new ArrayList<>();
private static final String HELP_TEXT = “TS User Claim”;
private static final String CUSTOM_CLAIM = “TS User Claim”;
This method returns the display type of the custom protocol mapper
return display type of the custom protocol mapper
*/
Override
public String getDisplayType() {
final String METHODNAME = “getDisplayType()”;
log.trace( "{} ENTRY ", METHODNAME );
log.trace( “{} RETURN {}”, METHODNAME, CUSTOM_CLAIM);
return CUSTOM_CLAIM;
}
/**
This method returns the help text for the custom protocol mapper
return Help text for the custom protocol mapper.
*/
Override
public String getHelpText() {
final String METHODNAME = “getHelpText()”;
log.trace( "{} ENTRY ", METHODNAME );
log.trace( “{} RETURN {}”, METHODNAME, HELP_TEXT);
return HELP_TEXT;
}
/**
This method returns the configuration properties of the custom protocol mapper
return configuration properties of the custom protocol mapper
*/
Override
public List getConfigProperties() {
final String METHODNAME = “getConfigProperties()”;
log.trace( "{} ENTRY ", METHODNAME);
This issue is resolved. We are overriding getAttributes() method of AbstractUserAdapter class and setting parameter in this method at user level. It is working as expected.