Client attribute mapper

[juanjoDiaz]

Description

User attributes are a first class citizen.
They have their own tab on the user view of the admin portal and they have a mapper so they can be included in tokens.

Clients attributes are second class citizens.
They do NOT have their own tab and must be managed through the Admin API, and they can't be mapped to be included in tokens.

I propose to bring parity to these two.
It doesn't seem like this is a new idea. Someone already asked for this a few years ago: https://lists.jboss.org/pipermail/keycloak-user/2016-March/005447.html

Discussion

No response

Motivation

I own a public API and use Keycloack to provide authentication and authorization.
I register all consumers of my API as client with only service account enabled so they can get tokens and call my API.
I'm adding some metadata to each client to be included in the token so my API has more information.

Standard use case, just as you would do for a user, but a client.

Details

No response

[danielgratzl]

@juanjoDiaz Did you find a solution for this? We have the same requirements. In legacy Keycloak we managed to implement this via a extension of the admin templates to include a field to manage the client attribute and a javascript token mapper to map that attribute to the token.

in the new Keycloak it is also possible to extend the admin UI to allow managing custom client attributes but I haven't found a way to access the custom attributes in the Java Token Mapper.

[DAHAG-ArisNourbakhsh]

@danielgratzl assign the attributes on the service-account of the client instead of directly on the client.

(still would very much like a way to edit client attributes in the admin)