Ensure hardcoded claim mapper
ensure_hardcoded_claim_mapperIdempotently ensure a Keycloak client includes a hardcoded claim in tokens. Matches existing mappers by claim name; reports plan or applies changes on write=true.
Instructions
Idempotently ensure a client has an oidc-hardcoded-claim-mapper emitting the given claim. Matches existing mappers by claim name: reports 'already-present' when the config matches, a diff + update when it differs, and a create when absent. With write=false (default) it only returns the plan; write=true applies it.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| host | Yes | Target Keycloak host key, as configured in the config file's "hosts" map (or the KC_<HOST>_* env fallback). A host whose "production" flag is true, or absent, is treated as PRODUCTION and its writes are gated by "allowProdWrite". | |
| realm | Yes | Target realm name for the operation. | |
| write | No | false (default) = dry run: report what would happen without changing anything. true = apply the change. Production hosts additionally require KC_ALLOW_PROD_WRITE=true in the server environment. | |
| clientId | Yes | The client's clientId (the human-readable OAuth client id, not the UUID). | |
| claimName | Yes | The claim key to emit in tokens, e.g. "realm". | |
| claimValue | Yes | The hardcoded value the claim should carry. | |
| addToIdToken | No | Whether the claim is added to ID tokens (default false). | |
| claimJsonType | No | Keycloak claim JSON type label (default "String"). | String |
| addToAccessToken | No | Whether the claim is added to access tokens (default true). |