How to add user attribute values to token when impersonating in Keycloak

Question

I am trying to impersonate a user (tony123) using a superadmin(superadmin). The steps I am following are as follows.

1. Get access token for superadmin as below.

curl --location --request POST 'http://localhost:8180/auth/realms/tenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=superadmin' \
--data-urlencode 'password=<superadmin-password>' \
--data-urlencode 'client_id=<source-client-id>' \
--data-urlencode 'client_secret=<source-client-secret>'

2. With the above token, I am getting the impersonated user's (tony123) token as follows.

curl --location --request POST 'http://localhost:8180/auth/realms/tenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<source-client-id>' \
--data-urlencode 'client_secret=<source-client-secret>' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=<access token got in step one>' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'requested_subject=<user id of tony123>'

I am able to get the correct impersonate token by following the above two steps. This impersonate token only contains preferred_username and email attributes of tony123 in the token. I would like to further customise the impersonate token by adding some phone_number from the user attributes map. I am unable to do so.

I tried adding a mapper for phone_number in the source-client in Keycloak admin. This was an unsuccessful attempt. How to achieve this?

Answer 1

First you create your custom attributes then in client mappers, add Token Mapper with User Attribute type.

Take a look at this page.