Keycloak retrieve custom attributes to KeycloakPrincipal

• Select Users > Lookup > click on ID > go to attributes tab > Add attribute > e.g.: phone > Save

• Select Clients > click on Client ID > go to Mappers Tab > create mapper

  

  

  

• Get custom attributes

  

  

UPDATE

• Add 'phone' attribute on Group level, assign user to that group, and you get 'phone' attribute from group level for all users

• Go back to mapper and update 'phone' with 'Aggregate attribute values = true' and 'Multivalued=true', and you get 'phone' as list with both attributes from group and user level. If you keep 'Aggregate attribute values = false' or 'Multivalued=false', you get just one value, where 'phone' attribute from user will override 'phone' attribute from group (which make sense)

To add custom attributes you need to do three things:

1. Add attributes to admin console
2. Add claim mapping
3. Access claims

The first one is explained pretty good here: https://www.keycloak.org/docs/latest/server_admin/index.html#user-attributes

Add claim mapping:

1. Open the admin console of your realm.
2. Go to Clients and open your client
3. This only works for Settings > Access Type confidential or public (not bearer-only)
4. Go to Mappers
5. Create a mapping from your attribute to json
6. Check "Add to ID token"

Access claims:

final Principal userPrincipal = httpRequest.getUserPrincipal();

if (userPrincipal instanceof KeycloakPrincipal) {

    KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) userPrincipal;
    IDToken token = kp.getKeycloakSecurityContext().getIdToken();

    Map<String, Object> otherClaims = token.getOtherClaims();

    if (otherClaims.containsKey("YOUR_CLAIM_KEY")) {
        yourClaim = String.valueOf(otherClaims.get("YOUR_CLAIM_KEY"));
    }
} else {
    throw new RuntimeException(...);
}

Hope this helps and fits your use case. I used this for a custom attribute I added with a custom theme.

For Keycloak > 18 the configuration of the mappers has moved in the UI:

Inside Clients > Your selected client under the tab Client Scopes, one has to select account-dedicated:

There custom mappers can be added: