jwt - Keycloak add extra claims from database / external source

Question

I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:

1. After successful authentication have keycloak pull extra claims from the application database somehow. This app database is postgres, for example.
2. Have the application update the jwt with extra claims using a shared key.

I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.

Answer 1

Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.

This is pasted from the answer I received there.

I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :

1. User logs in

2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method

3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.

4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured

5. Get the info returned by the endpoint and add it as extra claims