# Steps to provide Hasura Claims in Keycloak generated JWT

1. Create your realm / client
2. Inside client configuration go to "Mappers"
3. Click on "Create"
4. Name it "hasura"
5. Choose Mapper Type "Script Mapper"
6. Add following script to demonstrate how it works

```js
/**
 * Available variables: 
 * user - the current user (UserModel)
 * realm - the current realm (RealmModel)
 * token - the current token (TokenModel)
 * userSession - the current userSession (UserSessionModel)
 * keycloakSession - the current keycloakSession (KeycloakSessionModel)
 */


//insert your code here...
var roles = [];
for each (var role in user.getRoleMappings()) roles.push(role.getName());
token.setOtherClaims("https://hasura.io/jwt/claims", {
    "x-hasura-user-id": user.getId(),
    "x-hasura-allowed-roles": Java.to(roles, "java.lang.String[]"),
    "x-hasura-default-role": "user",
});
```

Thats it, the next step is just to verify your settings

7. Go to clients -> your-client -> Scopes -> Evaluate
8. Select an user, and see the generated JWT payload in "Generated Access Token" Tab

Update: Keycloak has a new policy. they disable ScriptMappers by default
You have to start the instance with this flag:

`-Dkeycloak.profile.feature.upload_scripts=enabled`