Transfer claims from external IdP token to internal token

The token returned by my external (OIDC) IdP may contain quite a lot of data in a 3 level deep JSON-structure. My application needs this data to perform authorization. From what I’ve gathered I have two options:

  1. Map this data to user attributes, and then map these attributes to my keycloak’s issued token.
  2. Enable ‘Store Token’ on the IdP and retrieve the external token through the broker’s token endpoint in my keycloak.

Mapping to user attributes doesn’t seem feasible with a large JSON structure.

The Store Token-alternative works, but it requires my application to know about the external IdP which I’d really like to avoid.

I’d like an option to simply transfer some claims from the external token to the internal one. Thankful for help!

Write (implement) your own mapper!? :man_shrugging:
This way, you have full control over what data should be mapped in which way.

A mapper that does what? A mapper from IdP token claims → user attributes already exists, but the problem there was that the attributes seem to be more of a key-value thing, not something that is suited to hold large data structures (please correct me if I’m wrong here)

Or do you mean a custom mapper that can to the token-to-token claim transfer? If that’s possible that sounds like a good idea. Could you please point me in the right direction in the docs on how to do this?

Your explanation of your requirement is very generic, so I don’t know exactly what you want to achieve.

With a custom mapper, you can completely control how you want to map your data between the IdP token and the internal user model. If you don’t need the complete large structure, you can implement it accordingly to just save the values which are nested deeply somewhere in the structure.

A IdP token to KC token mapper does not exist, Keycloak doesn’t map values from the IdP token to it’s own tokens, that’s not possible. You’ll have to go the way via the user model.

Or implement a custom endpoint where a client can request additional data. This endpoint you’ll have to implement properly that the requesting client does have the right (role) to retrieve the original IdP token for the user and then return just the values you want.

A IdP token to KC token mapper does not exist, Keycloak doesn’t map values from the IdP token to it’s own tokens, that’s not possible. You’ll have to go the way via the user model.

Thanks, good info. It seems I’ll have to move the token parsing logic to keycloak then. I’ll still run into the string → string key value restriction on user attributes, but I’ll see what I can do.