Custom claims in authentication token per request

Hello,

I am using keycloak openid and oauth protocol,
i am trying to generate token with custom claims,
for example, if i ask server to generate token with amountLimit property, token body should look like this

curl -d “client_id=cws” -d “client_secret=xxx” -d “username=xxxx” -d “password=xxxx” -d “grant_type=password” (-d “amountLimit=XXXX” maybe something like this) localhost:18081/auth/realms/master/protocol/openid-connect/token

does this request has any parameter to add custom claim?

{
“jti”: “df79e44e-a5fc-4783-bb1e-1bdf36ad87fa”,
“exp”: 1572878223,
“nbf”: 0,
“iat”: 1572878163,
“iss”: “localhost:18081/auth/realms/master”,
“sub”: “599b1794-cbb8-4198-a9ec-6780bc4d1c90”,
“typ”: “Bearer”,
“azp”: “cws”,
“auth_time”: 0,
“session_state”: “be4640e3-246a-49f9-b993-62ce9f32fe2b”,
“acr”: “1”,
“allowed-origins”: [
http://localhost:8080
],
“realm_access”: {
“roles”: [
“user”
]
},
“scope”: “profile email”,
“email_verified”: true,
“transaction_limit”: 10000,
“name”: “beka naveriani”,
“Roles”: [
“user”
],
“amountLimit”: 10000,
“preferred_username”: “bekanaveriani”,
“given_name”: “beka”,
“family_name”: “naveriani”
}

i am not trying to get hardcoded claims or user attributes, i just want to put claim which i need to use in next steps. Also i am interested in if it is possible that one user make for example 5 tokens with different roles and permissions?

Thank you.

3 Likes

Hi,

Did you get to any answer to this?
I’m trying to solve the same problem…
My consideration is that I need some authentication plugin that takes values from the request and puts them as session notes (which can then be mapped into the token).
Any better solution?

Regards

1 Like

I’m looking forward for some solution it this topic.

First of all, why not to use mappers, or add attributes to users?
I’m just not sure what is your situation.

But if for example you want it to be dynamic, so you will send in the curl a value and it will be added to the token you could use ‘nonce’.
I really don’t recommend! this because ‘nonce’ parameter should be used for security, but what it does is that you send the curl and in the url part you just add a query parameter with the key ‘nonce’ and the value you need and it will add this to the token.

Just play with it a little bit, maybe you could generate a random string and add your value to it, so the nonce will be both for security and for your need.

Check out the use of state parameter, maybe it suits your need as well.

Hey,
As I have mentioned in my previous comment you can use nonce, for example:

http://localhost:8080/auth/realms/tsp_openapi/protocol/openid-connect/auth?client_id=pplantoo&response_type=code&redirect_uri=https://www.google.com&nonce=123456

As the nonce value is inserted to the token.

Keep in mind that the nonce value is used for security reasons,
So maybe you could generate a random value and concanate it with a ‘.’ (dot) and you customvalue
And then you also have the security aspect and also you could split the nonce value to get you customvalue.

The other option may be writing your own keycloak extension or find one that can help you.

thanks Cyben for your answer, its indeed an option for us.

but just curious about one question, is there any method to transmit values among different steps of authorization code flow, i will separate the authorization code flow into 3 step :

step 1:
get the login page:

/auth/realms/tsp_openapi/protocol/openid-connect/auth?client_id=pplantoo&response_type=code&redirect_uri=https://www.google.com

step 2:
login by typing username/password and get auth code, with custom parameter: consent_id
/auth/realms/tsp_openapi/login-actions/authenticate?session_code=_N7IcTaPF3vTtkPtIKQweKyCQRaXyVu2JF-fgcWQd40&execution=8975a242-0d40-4a47-992c-6ea7dd91728e&client_id=pplantoo&tab_id=fXCfFj3BG2c&consent_id=123456

step 3.
client exchange for access_token with auth code provided by step 2.

/auth/realms/tsp_openapi/protocol/openid-connect/token

question: is there any class/object would treat these three steps as a session. and i can store “consent_id” in step 2 and get “consent_id” in step 3 within the same session if i customize my login flow/ protocol mapper.

thanks again for your help. it really helps.

Sorry I’m not sure, You will have to take a deep dive to the opensource and just play with it and try to write your own custom authenticator (there is a documentation for how it should look, the class scheme and so on)

The easiest way would be using nonce, without any additional extensions.

1 Like