Map Last Login Time Into JWT


I have noted that it’s possible to map attributes from groups, roles and users into a JWT. However since keycloak doesn’t (from what I can see) store a last login time, how can I find this and then map it into the JWT?

Kind Regards,

One way you could possibly solve this is by creating a custom event listener and on a successful login event store or update an attribute in the user. You can map the user attribute in the token.
An example of setting a user attribute in an event listener can be found on

There could be an easier way but not one I know of. Maybe somebody else can chip in.