Skip to main content
Version: 2.0.0

Token Claims

In order to use information about tenants in your application, you need to add it to the token claims.

IAMS introduced the following mapper to add tenant information to the token claim:

  • Active tenant – maps the active tenant to a token claim.
  • All tenants – maps all tenants that user is a member of to a token claim.

Configure the Mapper

You can enable the mapper to the individual client or at the Client Scopes.

If you enable the mapper at the Client Scopes, any new client created after that will inherit the mappers and do not need require further configuration.

The default realm created in the Local Development has the mapper configured in Client Scopes.

Enable at Keycloak Client

To enable the 2 mapper for a Keycloak Client, perform the following steps:

  1. Login to Keycloak Admin Console and switch to the realm.

  2. Click on Clients in the side menu

Clients

  1. Click on the Client ID of the client to configure.

  2. Click on the Client scopes tab.

Client Scopes

  1. Click on the client scope with the name ended with dedicated.

Dedicated

  1. Click on Add mapper and select By configuration.

Add Mapper

  1. Click on Active tenant

Active Tenant

  1. Enter the following fields:
  • Name: active_tenant
  • Token Claim Name: active_tenant
  • Turn on Add to lightweight access token checkbox
  1. Click on Save to add the mapper.

Save Mapper

  1. Click Cancel to go back to the Mappers list. You should see active_tenant mapper in the list.

Active Tenant Mapper

  1. Click on Add mapper and select By configuration.

  2. Click on All tenants

All tenants

  1. Enter the following fields:
  • Name: all_tenants
  • Token Claim Name: all_tenants
  • Turn on Add to lightweight access token checkbox
  1. Click on Save to add the mapper.

All tenants

Enable at Client Scopes

As mentioned, enable the mappers in Client Scopes will allow any newly created client to automatically inherit the mappers.

Follows the following steps to enable mapper at the Client Scopes:

  1. Login to the Web Admin Console and navigate to the realm.

  2. Click on Client scopes in the side menu:

Client Scopes

  1. Click on Create client scope:

Create Client Scope

  1. Enter the followings:
  • Name: any prefer name
  • Type: Default
  • Protocol: OpenID Connect
  • Turn off the Display on consent screen checkbox
  1. Click on Save to create the client scope.

Create Client Scope Form

  1. Click on Mappers tab

Mapper

  1. Click on Configure a new mapper button:

Mapper

  1. Click on Active tenant

Mapper

  1. Enter the following fields:
  • Name: active_tenant
  • Token Claim Name: active_tenant
  • Turn on Add to lightweight access token checkbox
  1. Click on Save to add the mapper.

Save Mapper

  1. Click Cancel to go back to the Mappers list. You should see active_tenant mapper in the list.

Active Tenant Mapper

  1. Click on Add mapper and select By configuration.

Add Mapper - By configuration

  1. Click on All tenants

All Tenants

  1. Enter the following fields:
  • Name: all_tenants
  • Token Claim Name: all_tenants
  • Turn on Add to lightweight access token checkbox
  1. Click on Save to add the mapper.

All Tenants Form