Hi, in our project we successfully implemented a custom Authenticator in Keycloak for a “magic link” login method, and now we want to reflect this authentication method in the JWT access token, so the application can decide to force an additional password login for functionalities with higher security requirements. Is there maybe already some existing functionality to reflect different authentication methods in the access token?

I was thinking of a Custom Protocol Mapper that writes this e.g. as a property loginMethod:"magic-link" into the access token, but I wonder how that information can be passed from our Authenticator to our OIDCAccessTokenMapper.

In the Authenticator, I was thinking of using AuthenticationFlowContext.getAuthenticationSession().setUserSessionNote(name, value); to store it, and then using userSession.getNote(name) in the OIDCAccessTokenMapper to obtain it. Now I wonder about two things:

• are UserSession notes replicated in the cluster, so that when there is a subsequent token refresh on a different cluster node, will userSession.getNote() contain the value, so it will be mapped to the new access token?
• is the UserSession scoped to a given client? Or will all clients then see the UserSession note?