Keycloak add extra claims from database / external source

Question

I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:

1. After successful

Answer 1

Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.

This is pasted from the answer I received there.

I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :

1. User logs in

2. My custom protocol mapper gets called, where I overwrite the transformAccessToken method

3. Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.

4. I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured

5. Get the info returned by the endpoint and add it as extra claims