I want to add a new functionality to a webapp and for that functionality, I want to edit an existing claim in my JWT when the user that interacts with the client chooses to use this feature. Now, would it be correct to do this with a token exchange and custom protocol mapper? Can this work? Or would I sort of fetch a new token after DB update of my federated users? The RFC is quite limited in functionality of the token exchange and Keycloak also has its own sort of version. I do not really switch client, so an internal-internal token exchange does not seem to fit my usecase.
1
-
Is this in a Spring context? In which case you can add an authorization converter to add to your authorization context tracking additional information, without actually changing the token.daniu– daniu2025-08-11 09:08:18 +00:00Commented Aug 11 at 9:08
Add a comment
|
1 Answer
Usually you would involve Keycloak when you want to change access token scopes. Whenever you issue a scope you issue a collection of claims. To get a new scope you could potentially use one of these mechanisms:
- Step up authentication
- Optional user consent to the new scope
- Token exchange with down-scoping
- Token exchange with up-scoping
Once an access token is issued its claims are immutable. You should aim to use stable claims that do not change within a user's authenticated session. I always restrict claims to main identity values rather than volatile business settings.
If you need to edit a claim based on user actions it is perhaps a sign that you need an extra authorization value stored outside of access tokens. For example, your web app xould call an API operation that saves that value and can then use it for authorization.
