How do I include the User Profile attributes in my JWT from Keycloak

Question

Under Realm Settings -> User Profile I added some custom attributes

• Department
• Region
• OfficeId

I want these to be returned as part of the JWT upon successful login. I tried to map them the way I mapped roles (Client - Client Scopes - dedicated - add mapper) but they aren't being included in the JWT after login.

How do I get these in there?

Answer 1

The User Profile is about the attribute scheme and enforcing constraints on it. However, for those attributes to show up on the token, besides the user attribute mapper, the user to whom the token is being acquired on behalf of needs to have those attributes set.

One can set those attributes by going to Users, selecting the user in question, and then switching to tab Attributes and adding the attributes (e.g., "Department" : "lol"). Or require the user to manually do so by forcing the update of the profile for example.

A demo example using the new Keycloak API:

First enable the feature:

Declarative User Profile is Technology Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=declarative-user-profile

Then go to:

• Realm Settings
• General
• Switch "User Profile Enabled" to ON (if not yet done)
• Click on the Save button

Switch to the tab User Profile:

• Click on Create attribute
• Reproduce the configuration displayed on the images below

• Click on the Save button

Now on the client that will be used for authentication do:

• Go to Clients
• Click on the aforementioned client
• Switch to the tab Client Scopes
• Click on the scope <client_id>-dedicated
• Select Configure a new Mapper
• Select User Attribute
• Configured it as follows:

• Click on the Save button

Now, either you or your users need to fill up their "Department attribute" in order for that attribute to show up on the token.

a) To manually add the attribute on behalf of the user:

• Go to Users
• Click on the user in question
• Switch to the tab Attributes
• Add the attribute

Now if you request a token on behalf of the user above using the client to which we have created the User Attribute mapper, you should see the attribute Department on the access token. Something like:

✻ Payload
{
  "exp": ...,
  "iat": ...,
  "jti": ..",
  "iss": "...",
  "sub": "...",
  "typ": "...",
  "azp": "test_client",
  "session_state": ...",
  "acr": "1",
  "scope": "email profile",
  "sid": "...",
  "Department": "a",
  "email_verified": ...,
  "name": "a a",
  "preferred_username": "test_user",
  "given_name": "a",
  "family_name": "a"
}

b) To enforce the users to add their mandatory attributes:

• Go to Authentication
• Switch to Required Actions
• Set the Update Profile to ON

If the user now logs in into kc_dns/realms/{REALM_NAME}/account for instance, you should get something like:

After the user adds the attribute and press Submit. Now if you request a token on behalf of the user above using the client to which we have created the User Attribute mapper, you should see the attribute Department on the access token.