FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Retrieve IdP id used for login

    Scheduled Pinned Locked Moved Unsolved
    General Discussion
    0
    6
    895
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tony
      last edited by

      Is it possible to determine, which IdP (IdP id in FusionAuth) was used by a user to login?

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @tony

        How are you using FusionAuth? Login API or hosted login pages?

        When do you want to know? In the login record, the JWT or some other way?

        You get a value in the JWT with the IDP type: https://fusionauth.io/docs/v1/tech/oauth/tokens/

        You also can see the identityProviderId in the success login event: https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-login-success

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        T 1 Reply Last reply Reply Quote 0
        • T
          tony @dan
          last edited by

          @dan
          I am using FusionAuth with a redirect to FusionAuth login page and after handling oauth-callback with my API.
          In the ideal case, I would like to know the IdP ID during OAuth callback, which means when I will have obtained JWT.
          Just IdP type isn't enough, because according to the unique IdP ID I need to decide which fields I will take from user.data reconciled from SAML or OpenID.
          Webhook wasn't in consideration, because it would be hard to keep data in sync in my case.

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            @tony

            I think what you want is on the user object, so you want to do the following:

            • add a jwt populate lambda: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/
            • extract the idp used from the user object in that lambda.

            I haven't tested this, but from the docs user.registrations[x].tokens gives you:

            A map that contains tokens returned from identity providers.
            
            For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.
            

            So I think you could look at that tokens map and find out the idp the user used to register. Give that a try and let me know if it works, please.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            T 1 Reply Last reply Reply Quote 0
            • T
              tony @dan
              last edited by

              @dan

              I tried to play around with lambdas (both JWT populate and SAML reconcile), found next:

              • in populate, user.registrations[x].tokens field is always empty (at least for SAML providers);
              • in reconcile, samlResponse contains conditions.audiencess[x]
                -> https://domain.name/samlv2/sp/4d7c275f-1e34-43b8-b651-103582e96fa3 with an IdP ID;
              • also, in Event Log, debug message of SAML lambda has an IdP ID in it:
                SAML v2 IdP Response Debug Log for [IdP Name] with Id [4d7c275f-1e34-43b8-b651-103582e96fa3]

              For now, I could extract an ID from conditions.audiencess, but is there any other way to access it? audiencess is an array, in my case with only one element, what else I should expect to receive in this array?

              1 Reply Last reply Reply Quote 0
              • danD
                dan
                last edited by

                @tony

                Glad you were able to figure it out. I'm not aware of any other way to access the identity provider id from the response, but that does seem to solve your problem, correct?

                Please feel free to file a feature request more clearly outlining your use case and proposed ideal solution.

                It looks like the type of audiences is a set of strings, so I wouldn't expect any complex elements.

                The docs say that this field is:

                [a] list of the audiences for this SAML response. By default, the issuer or audience from the form are used.

                This is not super clear to me, so I filed a PR against the docs to make it clearer: https://github.com/FusionAuth/fusionauth-site/pull/376

                --
                FusionAuth - Auth for devs, built by devs.
                https://fusionauth.io

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post