I am using keycloak openid and oauth protocol,
i am trying to generate token with custom claims,
for example, if i ask server to generate token with amountLimit property, token body should look like this
i am not trying to get hardcoded claims or user attributes, i just want to put claim which i need to use in next steps. Also i am interested in if it is possible that one user make for example 5 tokens with different roles and permissions?
Did you get to any answer to this?
I’m trying to solve the same problem…
My consideration is that I need some authentication plugin that takes values from the request and puts them as session notes (which can then be mapped into the token).
Any better solution?
First of all, why not to use mappers, or add attributes to users?
I’m just not sure what is your situation.
But if for example you want it to be dynamic, so you will send in the curl a value and it will be added to the token you could use ‘nonce’.
I really don’t recommend! this because ‘nonce’ parameter should be used for security, but what it does is that you send the curl and in the url part you just add a query parameter with the key ‘nonce’ and the value you need and it will add this to the token.
Just play with it a little bit, maybe you could generate a random string and add your value to it, so the nonce will be both for security and for your need.
Check out the use of state parameter, maybe it suits your need as well.
Keep in mind that the nonce value is used for security reasons,
So maybe you could generate a random value and concanate it with a ‘.’ (dot) and you customvalue
And then you also have the security aspect and also you could split the nonce value to get you customvalue.
The other option may be writing your own keycloak extension or find one that can help you.
thanks Cyben for your answer, its indeed an option for us.
but just curious about one question, is there any method to transmit values among different steps of authorization code flow, i will separate the authorization code flow into 3 step :
step 2: login by typing username/password and get auth code, with custom parameter: consent_id
/auth/realms/tsp_openapi/login-actions/authenticate?session_code=_N7IcTaPF3vTtkPtIKQweKyCQRaXyVu2JF-fgcWQd40&execution=8975a242-0d40-4a47-992c-6ea7dd91728e&client_id=pplantoo&tab_id=fXCfFj3BG2c&consent_id=123456
step 3. client exchange for access_token with auth code provided by step 2.
question: is there any class/object would treat these three steps as a session. and i can store “consent_id” in step 2 and get “consent_id” in step 3 within the same session if i customize my login flow/ protocol mapper.
Sorry I’m not sure, You will have to take a deep dive to the opensource and just play with it and try to write your own custom authenticator (there is a documentation for how it should look, the class scheme and so on)
The easiest way would be using nonce, without any additional extensions.