I tried providing claims as query params or in the header, besides the client id and secret, but the token returned never contains the custom claims provided.
On the Keycloak level you should to define mapper in the used OIDC client config (you can play also with scopes, which is abstraction on top of mappers). Then that mapper(s) will create claim(s) in the token.
I added the Claims parameter Token Mapper, so I assumed adding ‘claims’ in header would get Keycloak to add them into the response token, but that’s not happening.
I know that I can create other mappers as well, but I don’t want these to be resolved and evaluated on Keycloak, such as user attributes, roles etc. but I need some custom ones to add.
Any ideas whether the above mentioned Claims parameter mapper just isn’t working, or it’s for something else?
I don’t understand your use case, but it is definetely good idea to provide reproducible example first.
I really don’t understand:
I added the Claims parameter Token Mapper, so I assumed adding ‘claims’ in header
Claims parameter Token Mapper - this type of mapper doesn’t exist in the Keycloak by default adding ‘claims’ in header - you mentioned first that you used query parameters
Good question/description gives you good answer and higher chance for some answer as well.
I tried providing claims as query params or in the header
First thing, I wrote that I tried both adding it as query param or within the headers. And I tried adding it as query params only because in some places in docs it is not clear.
I’m not sure what you mean when you say it doesn’t exist.
And finally, I really don’t get what would be hard for you to understand here - when providing a set of custom claims, when requesting the token, Keycloak doesn’t return these claims in the token.
I was thinking that Keycloak provides this functionality out of the box, with an existing mapper, but yeah - seems like you have to implement your own.
Thanks a lot for your reply, I think I’ll solve it in the same way
I’m also need to inject custom claims in my access token.
My principal concern here is about the refresh token. When my access token expires and I refresh it, I will need to pass the custom claims again in the refresh endpoint or I can “query” the old access token and copy them from there to the new one?
The only way is to implement a custom Protocol Mapper? Can you provide a functional code example?
Hi
our implementation is to sent the custom claims in a special header containing json claims base64 encoded.
The protocol mapper takes the header, decode it and add it to the token claims.
This is done both in auth call or refresh call.
You never want to manipulate the refresh token, this is not in your concern. The refresh token is only meant for the issuing party (the AS/IdP, here: Keycloak) itself.
Everything else, you can control with the protocol mappers.