Identifying user's login method

Is there a way in Keycloak SPI to identify which method a user logged in with, e.g. OTP or WebAuthn?

I’m trying to check if a user logged in with 1FA or 2FA. Right now I’m confirming this using the UserCredentialManager.getStoredCredentialsSteam() method to check if the user has a 2FA method enabled or not.

Many thanks.

If you extended the 2FA authenticator you could set something on the user’s session notes after they authenticate like context.getAuthenticationSession().setUserSessionNote("loginMethod", "something").

Those can then be added to the client scope and returned as an additional claim.

This would require you to make a custom authentication flow and configure your client to use it instead of whatever it’s using today.