Hello,
Using the KC Admin REST API or some alternative how can an application consuming KC JWT token determine if a user logged in through an Identity Provider? If this is possible using
Thank you,
David
Hello,
Using the KC Admin REST API or some alternative how can an application consuming KC JWT token determine if a user logged in through an Identity Provider? If this is possible using
Thank you,
David
I would say your question should be: how to verify that JWT token is valid. If you know that is valid and you know which IDP was used, then you can assume that user is “logged in” = user used valid credentials in the IDP login flow and valid JWT token was returned by IDP.
Validation of JWT is defined by RFC 7519.
Lazy developers and poor implementations use userinfo/introspection endpoint for online validation. But that adds a latency, because IDP must be requested. Beauty of JWT is that you don’t to contact IDP for every request, when you have proper validation implementation.
Hello,
Thanks for your reply but I didn’t explain clearly. Given a valid JWT and active session issued by Keycloak which allows users to log in through:
I am looking for a way to determine which method was used to log in by either including the relevant information in the token, using the REST API, or some indicator in the session.
The practical reason is quite simply that my single page web application will allow users to change/set their password by redirecting to the respective Keycloak page. Users which logged in through IdP should be made aware that the password they are setting is not the one that was used to login through the IdP.
Thanks,
David
This might help:
After a user login from an external IDP, Keycloak stores user session note data that you can access. This data can be propagated to the client requesting log in using the token or SAML assertion passed back to the client using an appropriate client mapper.
identity_provider
The IDP alias of the broker used to perform the login.
identity_provider_identity
The IDP username of the currently authenticated user. Often, but not always, the same as the Keycloak username. For example, Keycloak can link a user john
to a Facebook user
john123@gmail.com. In that case, the value of the user session note is
john123@gmail.com` .You can use a Protocol Mapper of type
User Session Note
to propagate this information to your clients.
https://www.keycloak.org/docs/latest/server_admin/#available-user-session-data
Thank you, your solution works as intended.