Refresh_token grant - how to obtain value from the refresh token (for the use in protocol mapper)

I am using keycloak 4.8.3.

when user login via keycloak, i have added a custom value to the refresh token. (e.g. ‘magicNumber’ [time dependent])…

(this value is also added to the access token via Script based mapper)

now, when i need a new access token, i run the refresh_token grant, how can i get back the ‘magicNumber’ from the refresh token (sent to the token endpoint) in the script based mapper? I need to put this magicNumber into the access token and new refresh token!..


I think refreshToken is not available in the OIDC protocol mappers. The
mappers are currently executed at the very first request (OIDC
code-to-token request) when the refresh token doesn’t event exists.

If the magicNumber is always the same for every token during login, then
you can possibly use attribute in userSession or clientSession?
UserSession is shared for all clients and clientSession is for the
single client, so depends what is better for your purpose.


Hi Marek,

thanks for your tips.

I want to put a per client per user login magicNumber.

Then, i think i need to put it in the user session (with a specific user session data key, e.g. ‘magicNumber’) and then put this piece into the access token.

I have a check of the code/document, there should be separate UserSessionModel object for each client. Say, if user SSO login 3 clients, there will be 3 UserSessionModel objects created, am i right?
(i am just afraid that the usersession data will be overrided when trying to login another client).

Btw, i just realize that - we can’t add custom claims/attributes to the refresh token!