Replacement for 'Script Mapper' in Client Mappers

Planning on replacing Token Client Name sub with a random value (for privacy reason we can’t use the default ID). Under the old ‘Script Mapper’ option for Mapper Type, I could have created a random vialu by script – what could be an option in lieu of ‘Script Mapper’? Thank you.


There’s a predefined claim mapper for this: “pairwise subject identifier”. It creates a cryptographic hash based on local user’s ID, client’s redirect URI and a salt, if I understand it correctly.

If that is not sufficient for you, JavaScript mappers can be implemented according to the documentation:
(you have to start KC with -Dkeycloak.profile.feature.scripts=enabled)
In the script, the sub value can be set with token.setSubject("my random value")

As far as I know, setting the sub using a standard user property or attribute mapper will not work.


1 Like

So far, populating Token Client Name sub with ‘email’ value appears to work.

Thank you for your post and suggestion.

To comply with privacy policies, we would have to create an opaque immutable hash value per user to populate the Token Client Name sub value (i.e. the value will be unique to a user per service).