Keycloak retrieve custom attributes to KeycloakPrincipal

  • Select Users > Lookup > click on ID > go to attributes tab > Add attribute > e.g.: phone > Save enter image description here

  • Select Clients > click on Client ID > go to Mappers Tab > create mapper

    enter image description here

    enter image description here

    enter image description here

  • Get custom attributes

    enter image description here

    enter image description here

UPDATE

  • Add 'phone' attribute on Group level, assign user to that group, and you get 'phone' attribute from group level for all users

  • Go back to mapper and update 'phone' with 'Aggregate attribute values = true' and 'Multivalued=true', and you get 'phone' as list with both attributes from group and user level. If you keep 'Aggregate attribute values = false' or 'Multivalued=false', you get just one value, where 'phone' attribute from user will override 'phone' attribute from group (which make sense)


To add custom attributes you need to do three things:

  1. Add attributes to admin console
  2. Add claim mapping
  3. Access claims

The first one is explained pretty good here: https://www.keycloak.org/docs/latest/server_admin/index.html#user-attributes

Add claim mapping:

  1. Open the admin console of your realm.
  2. Go to Clients and open your client
  3. This only works for Settings > Access Type confidential or public (not bearer-only)
  4. Go to Mappers
  5. Create a mapping from your attribute to json
  6. Check "Add to ID token"

Access claims:

final Principal userPrincipal = httpRequest.getUserPrincipal();

if (userPrincipal instanceof KeycloakPrincipal) {

    KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) userPrincipal;
    IDToken token = kp.getKeycloakSecurityContext().getIdToken();

    Map<String, Object> otherClaims = token.getOtherClaims();

    if (otherClaims.containsKey("YOUR_CLAIM_KEY")) {
        yourClaim = String.valueOf(otherClaims.get("YOUR_CLAIM_KEY"));
    }
} else {
    throw new RuntimeException(...);
}

Hope this helps and fits your use case. I used this for a custom attribute I added with a custom theme.


For Keycloak > 18 the configuration of the mappers has moved in the UI:

Inside Clients > Your selected client under the tab Client Scopes, one has to select account-dedicated:

enter image description here

There custom mappers can be added:

enter image description here