0

I need to set a custom claim in the access_token from within a C# application. Is there a way to achive this? So that I can create custom access_tokens on the fly. I read though the Keycloak API reference but wan not able to find a solution. I need this because I have a User that, depending on the application state, should get access to different ressources. I dont want to create different user to achive this. I do not want to save information into the cookies to achive this. And I also do not want to save information in URL to achive this.

I already tried to use a uma-ticket token for this as described here. But all i got was this error:

{
    "error": "invalid_grant",
    "error_description": "Invalid bearer token"
}
Oliver
  • 3
  • 1
  • What kind of costume claim information do you want to add in JWT? I don't know your mention about "the application state, should get access to different resources" meaning. detail information of example to help to understand your looking for question. I hope to address your question by the requesting party token(RPT) – Bench Vue Nov 29 '22 at 18:32
  • I have to grant access by entering a code which was generated in the application. Code is for temporary access. Therefore I created a user in Keycloak that requests the token via API. But depending on the Code that is entered, I need to provide another instance of the application. For Example the code A456BF01 gives access to one instance and 5B56B501 to another. Currently the application checks `sub` claim, which is always the guid of the kc user. Now I want to write the code to the token e.g. a new `instance`claim and let the application check for that instead of `sub`. – Oliver Nov 30 '22 at 08:34
  • I am not sure, it is possible or not, In the RPT, available or not to add a custom value into attribute of resource like a instance of code. It shows a resource name/display name/uuid/scope/owner/attribute of client. I needs a test. I will try it but it will takes a couple of days. – Bench Vue Nov 30 '22 at 11:14
  • 1
    No need to, I solved it as described in my comment under the accepted answer. Thank you anyway. – Oliver Nov 30 '22 at 12:05

1 Answers1

0

The most common option is to implement dynamic behaviour via claims. At the time of token issuance, the authorization server can reach out to an API endpoint (or database), to send account attributes and receive back custom attributes.

In Keycloak you need to use a protocol mapper for this. The last time I looked you had to develop one in Java, then configure it in the Admin UI for your client app. There is a worked example here.

This is usually a better design than trying to issue new user level access tokens on the fly. Eg an access token contains the important values used for authorization, such as role=manager or subscription_level=gold, so that the claims are trusted. The resources they grant access to could then vary a little based on runtime conditions.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • This is a really good approach, but I see one problem with this approach for my special usecase. I dont know how to get a relation between a token request and an API call of keycloak. I would have to somehow send the code (see my comment under my question) with my token request. Is that at all possible? And if it is, can I somehow get that information inside my custom mapper to write it to the token? Then i would not need the API endpoint at all. – Oliver Nov 30 '22 at 09:16
  • 1
    I solved it by writing a custom header in the token request. Then in the custom mapper I look up that header value with `keycloakSession.getContext().getRequestHeaders().getRequestHeader("header_name").get(0)` and write it to the token as a claim. – Oliver Nov 30 '22 at 12:03
  • @Oliver Thanks a lot man. I was not able to achieve this from last few days. This line helped me. Thanks a lot. If you don't mind can you tell me how can I fetch it from body? – Devesh Meena Jun 26 '23 at 12:57
  • @DeveshMeena Glad my solution helped you, thats why I commented it here. What exactly do you mean with "fetch it from body"? – Oliver Jul 16 '23 at 12:01
  • @Oliver oh that's nothing. Just a junior full stack developer getting confused. Thanks for the help mate. – Devesh Meena Jul 17 '23 at 06:13
  • 1
    @DeveshMeena Okay, you're welcome. Have a nice day and happy coding! – Oliver Jul 18 '23 at 08:26