I'm trying to implement a guest login feature using Keycloak in my API. Here's what I'm attempting:

• Created a guest user with a guest role that has minimal permissions.
• When a user chooses guest login, they provide their real email (e.g., [email protected]).
• The API authenticates with Keycloak using guest credentials and also passes the real email in the request.

Request to Keycloak:

var authRequestParameters = new KeyValuePair<string, string>[]
{
    new("client_id", "my-client"),
    new("client_secret", "my-secret"),
    new("scope", "openid"),
    new("grant_type", "password"),
    new("username", "guest_user"),
    new("password", "guest_password_XXXXX"),
    new("guest_email", "[email protected]") // Custom field
};

I expect the returned JWT token to contain a guest_email claim, but it does not.

{
  ---removed extra info---
  "name": "Guest Guest",
  "guest_email": "[email protected]" -- missing
}

I've tried User Session Note Mappers as well, but it didn’t work as expected. Looked into possible custom protocol mappers, but I’m unsure of the best approach.

Note: The solution must handle high concurrency since the same guest user account will be used by multiple users simultaneously. A concurrency-safe approach is required to ensure that one session’s data does not overwrite another's. so this info has to be at token level without have it saved in the keyclock DB

Questions:

• How can I pass and retrieve the real email in the JWT when logging in as a guest?
• What’s the best way to implement this without session data conflicts in a multi-user environment?
• Are there better alternatives for implementing guest login with Keycloak? Any pros and cons?

Any guidance would be greatly appreciated!