Determine if user is logged in with IdP or not

Hello,

Using the KC Admin REST API or some alternative how can an application consuming KC JWT token determine if a user logged in through an Identity Provider? If this is possible using

Thank you,

David

I would say your question should be: how to verify that JWT token is valid. If you know that is valid and you know which IDP was used, then you can assume that user is “logged in” = user used valid credentials in the IDP login flow and valid JWT token was returned by IDP.

Validation of JWT is defined by RFC 7519.

Lazy developers and poor implementations use userinfo/introspection endpoint for online validation. But that adds a latency, because IDP must be requested. Beauty of JWT is that you don’t to contact IDP for every request, when you have proper validation implementation.

Hello,

Thanks for your reply but I didn’t explain clearly. Given a valid JWT and active session issued by Keycloak which allows users to log in through:

  1. A “native” account created through registration on the Keycloak,
  2. An Identity Provider (IdP) such as Google or another Social login

I am looking for a way to determine which method was used to log in by either including the relevant information in the token, using the REST API, or some indicator in the session.

The practical reason is quite simply that my single page web application will allow users to change/set their password by redirecting to the respective Keycloak page. Users which logged in through IdP should be made aware that the password they are setting is not the one that was used to login through the IdP.

Thanks,

David

This might help:

After a user login from an external IDP, Keycloak stores user session note data that you can access. This data can be propagated to the client requesting log in using the token or SAML assertion passed back to the client using an appropriate client mapper.

identity_provider

The IDP alias of the broker used to perform the login.

identity_provider_identity

The IDP username of the currently authenticated user. Often, but not always, the same as the Keycloak username. For example, Keycloak can link a user johnto a Facebook userjohn123@gmail.com. In that case, the value of the user session note isjohn123@gmail.com` .

You can use a Protocol Mapper of type User Session Note to propagate this information to your clients.

https://www.keycloak.org/docs/latest/server_admin/#available-user-session-data

4 Likes

Thank you, your solution works as intended.