Is it possible to add local attributes to a federated user?

my use case is the following:

  • I have an Active Directory configured in Keycloak using User Federation via LDAP protocol
  • The LDAP is and should remain READ_ONLY in Keycloak. The AD is owned by a different group and we do not have write access to it.
  • However I want to add local attributes to users in KayCloak. These attributes should not be synched back to LDAP.

Concrete example: let’s say I want to keep track of the last 5 login times of a user. I can implement an event listener for the LOGIN event, which will append the values to an attribute associated to the user. This attribute should only stay in keycloak’s DB.

I have tried to implement this listener and it almost works:

  • using KeycloakSession::userStorageManager the attribute & its values are saved only locally, although there is an exception about the LDAP being readonly.
  • the problem is that Keycloak seems to use some cache which does not get immediately updated, which means it takes some time before the values are updated and the information can be forwarded correctly in the userinfo to the clients.

I can easily ignore the exception for the federation storage so, for me, that’s not an issue. Maybe there is a way to manually evict the stale data from the cache?

I have tried to use the KeycloakSession::userLocalStorage but doesn’t seem to do anything. Using KeycloakSession::users says “Operation not supported”, only the userStorageManager seems to work, although with this problem with cached data.

Is there a proper way to be able to store attributes on users only locally? I repeat: the attribute should not be synched back to the federated storage.

I would really like to avoid having to store this data manually or to access it via admin API since I’m really trying to implement the system without dealing with user sessions at all on my part and, IMHO, Keycloak should let me do this.