Update JWT Claims with custom metadata at a later point after sign-in

Hi all

I have been evaluating Keycloak as our identity and access management component and have been quite impressed with all its capabilities.

The only thing that I have been struggling to find out is how to update JWT claims with custom metadata and force refresh them at a later point after the sign-in process.

Some context:

  • We run a (soft) multi-tenant app that has an organization id in each table to scope the data.
  • We have several react frontends and react-native mobile apps connecting to the backend.

Desired flow:

  1. User logs in over Keycloak OIDC at the URL app.domain.com
  2. After a successful login, the user is shown a list of organizations that he/she is part of
  3. The user select the organization that he/she wants to access
  4. Issue: At this point an updated JWT is sent to the frontend with the organization id, user role in the selected business, Hasura headers for the selected business, etc.
  5. With each subsequent API request the organization id and the role is extracted to scope permissions on the database

At step 4 I am facing issues on how to update the OIDC JWT claims and request a new token in the frontend.

Would appreciate any help on this topic!

Point 3. could be a part of the authentication process. With this aproach you would need to write a simple custom authenticator (maybe even script authenticator would be enought for that task) which could present a user with a list of organizations and store the chosen one in a user attribute. The attribute can be further used in claims mapping (e.g. in a script mapper). Point 4. wouldn’t be necessary then.