UNSOLVED Retrieve IdP id used for login
Is it possible to determine, which IdP (IdP id in FusionAuth) was used by a user to login?
How are you using FusionAuth? Login API or hosted login pages?
When do you want to know? In the login record, the JWT or some other way?
You get a value in the JWT with the IDP type: https://fusionauth.io/docs/v1/tech/oauth/tokens/
You also can see the
identityProviderIdin the success login event: https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-login-success
I am using FusionAuth with a redirect to FusionAuth login page and after handling oauth-callback with my API.
In the ideal case, I would like to know the IdP ID during OAuth callback, which means when I will have obtained JWT.
Just IdP type isn't enough, because according to the unique IdP ID I need to decide which fields I will take from user.data reconciled from SAML or OpenID.
Webhook wasn't in consideration, because it would be hard to keep data in sync in my case.
I think what you want is on the user object, so you want to do the following:
- add a jwt populate lambda: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/
- extract the idp used from the
userobject in that lambda.
I haven't tested this, but from the docs
A map that contains tokens returned from identity providers. For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.
So I think you could look at that tokens map and find out the idp the user used to register. Give that a try and let me know if it works, please.
I tried to play around with lambdas (both JWT populate and SAML reconcile), found next:
- in populate,
user.registrations[x].tokensfield is always empty (at least for SAML providers);
- in reconcile,
https://domain.name/samlv2/sp/4d7c275f-1e34-43b8-b651-103582e96fa3with an IdP ID;
- also, in Event Log, debug message of SAML lambda has an IdP ID in it:
SAML v2 IdP Response Debug Log for [IdP Name] with Id [4d7c275f-1e34-43b8-b651-103582e96fa3]
For now, I could extract an ID from
conditions.audiencess, but is there any other way to access it?
audiencessis an array, in my case with only one element, what else I should expect to receive in this array?
- in populate,
Glad you were able to figure it out. I'm not aware of any other way to access the identity provider id from the response, but that does seem to solve your problem, correct?
Please feel free to file a feature request more clearly outlining your use case and proposed ideal solution.
It looks like the type of
audiencesis a set of strings, so I wouldn't expect any complex elements.
The docs say that this field is:
[a] list of the audiences for this SAML response. By default, the issuer or audience from the form are used.
This is not super clear to me, so I filed a PR against the docs to make it clearer: https://github.com/FusionAuth/fusionauth-site/pull/376