Map federated info and totp info to a claim in access token
40 views
Skip to first unread message
valerie bauche
Oct 10, 2025, 6:08:25 AM (6 days ago) Oct 10
to Keycloak User
Hi
I have an OIDC client that needs to know if an authenticated user comes from an external IDP or is a "local" user, can this information be retreived by a claim mapper ?
Same question to get the TOTP status of user : need a claim indicating if the user has an OTP application defined, ie totp=true/false, this information exists in the user profile (retreived with keycloak API) but I can't map it to a claim.
Thanks !
I have an OIDC client that needs to know if an authenticated user comes from an external IDP or is a "local" user, can this information be retreived by a claim mapper ?
Same question to get the TOTP status of user : need a claim indicating if the user has an OTP application defined, ie totp=true/false, this information exists in the user profile (retreived with keycloak API) but I can't map it to a claim.
Thanks !
Alexander Schwartz
Oct 15, 2025, 3:56:35 PM (23 hours ago) Oct 15
to valerie bauche, Keycloak User
Hello Valerie,
Thanks for reaching out.
There is no predefined mapper to return a claim totp true/false. The only claims that Keycloak supports is to provide information if an TOTP has been used in the authentication for the user. See step-up authentication, Level of Authentication (LoA) and ACR in the server administration guide for that. https://www.keycloak.org/docs/latest/server_admin/index.html#_step-up-flow
For anything beyond that, you will need to create your own mapper.
For IDPs, you can set up a "Hardcoded User Session Attribute" mapper, which stores some value in the user session. This you can later map in a client from with a "User Session Note" mapper to a claim. Maybe that is sufficient for your use case.
Best,
Alexander
Best,
Alexander
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/14e92d27-5a3a-4b1d-8e8b-73fad3a3166an%40googlegroups.com.
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
Niko Köbler
Oct 15, 2025, 5:11:15 PM (22 hours ago) Oct 15
to Keycloak User
In addition to Alexander's answer, you can set "Authentication Reference" values on any authenticator step. This information can be mapped with the AMR (Authentication Method Reference) mapper to the token(s).
There is an RFC trying to define some common values, https://datatracker.ietf.org/doc/html/rfc8176, but you can also define your custom values.
Reply all
Reply to author
Forward
0 new messages