Keycloak: get identity provider info - spring-boot

I have spring boot app and I use keycloak as auth. provider.
For my realm I have set FACEBOOK or GOOGLE as identity providers.
I wonder how can I find out what identity provider user used - NOT via keycloak admin console, BUT in runtime.
eg.:
user A - FACEBOOK
user B - FACEBOOK
user C - GOOGLE

You can set a "User Session Note" mapper to your client's mappers.
Set the User Session Note field to: identity_provider
Note: you can use identity_provider_identity in User Session Note field to get its username from to identity provider https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data

Map metadata given in the access token, such as facebook/google user id, and import these to the keycloak user. If you then provide this metadata to the clients, they can see which identity broker that was used.
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/mappers.html

I know this question is old, but I found an alternative solution to your problem (given that you attempt to reach the information via Java / Spring). Say that that you have concrete variables user, realm and session of type UserModel, RealmModel and KeyCloakSession, respectively. Then you can obtain the set of all federated identities associated to your user:
Set<FederatedIdentityModel> identitySet = session.users().getFederatedIdentities(user, realm);
Each instance of FederatedIdentityModel has a #getIdentityProvider method allowing you to obtain the name of your IdP in question.

Related

Get Google User data with Keycloak identity provider

I have succesfully set up Google as Identity Provider in Keycloak, following the docs, and I'm now able to login to my application using keycloak.
Is there a way to get the user data from the google account that is logged in. In my application I would like to retrieve profile information like in this example and then add it later to my mappers so I could see it in my Access Token(Adding attributes in my access token is not an issue, that works fine)?
Try making a request against the userinfo endpoint
https://www.googleapis.com/oauth2/v3/userinfo?Access_token=XXX
It should work but you may have to add a profile scope to your request i cant remember.

Access user info from lambda

I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).
You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.

UAA Federation: How to return group information back to relying party?

After configuring two UAA instances as federated, say UAA1 (Relying party)--uses--> UAA2(ID provider) through OIDC mechanism, I can use UAA1 to authenticate users defined on UAA2 through authentication code work flow. UAA1 defines shadow users in its instance, but it does not capture groups defined for users on UAA2.
For example, user1_uaa2 is on UAA2 and it belongs to a groups called uaa.test. After login through UAA1, a shadow user user1_uaa2 is created in UAA1, but its group information is lost.
How can a user's group information be propagated back to relying party in OIDC based UAA federation?
Thanks
I think according to source code, that in last version of UAA (V4.10), UAA only returns openid as scope in id_token and /userinfo, no matter if the access token has roles scope or not. That means as either OIDC or SAML identity provider, it does not provide user group information.
It seems to me its codes work and are able to retrieve group information when UAA works as SP or proxy to other IDPs. It store those information to user_info table.

oAuth2 Access Token with userinfo

We have a little argument in the company on the way to get user info with oAuth2.
the first developer is getting the user info inside the access token with the library spring-security-oauth2 and decode it.
The second developer use open id connect on the top of the oAuth2 with the library Nimbus, In this way you will get the user info from UserInfo Endpoint.
Which way is better parctice? and why to use open id connect if I can get my userinfo without this
Thanks for any help and explanations
An access token - and in fact bare OAuth 2.0 - cannot be used to authenticate the user. It can only be used to retrieve information about a user, which may not be the user that is operating the browser. See: https://oauth.net/articles/authentication/
So if you want to authenticate the user - in a standards compliant way - you need to use OpenID Connect.

spring boot oauth2.0 and spring security: How to grant permission(authorities) to user login via facebook or slack

I have an auth server built using spring boot oauth2.0 and follows david_syer model.
My auth server does following -
Let user login via third party oauth provider like google or let user create his account on our server using username and password and generate token.
So, when user uses external oauth like google to login then I simply store the token and pass the same(google) token to my UI app for accessing resource api servers. I have an authentication filter that verifies token and allow api access.
When user uses username and password to get token we store user and his permissions and generate a token for him. Now UI uses our auth servers generated token to access resource api servers.
Now my question is
Is this the correct way of using token from external api and using the same to access our resource api server?
And how do I add authorities to user who are signing up using 3rd party oauth provider since I don't add user entry and authorities for them?
So, spring security which loads user and user authorities (loadUserByUsername() from UserDetailsService) will not have any thing if user came from eternal provider.
I have a suggestion for step 2:
After the user uses the google authentication, and gets redirected back to your application page, do the claims transformation on your server and generate your own token issued by the identity server that you have.
The reason is you will be able to provide specific claims and the claims names does not necessarily required to match up.
That way you keep verifying your own token all the time on the client app. So lets say the user uses Facebook instead of Google and even in that scenario as you will assign your own token, you need not to verify the token coming from different third party Identity servers.
That way, your identity server trusts Facebook, Google provided token and your application will trust only your identity server so your app doesn't need to know about what IDP is issuing the token.
And with the approach I suggested above, you will be able to even modify the claims for the user on your own and don't have to depend upon the third party identity server to provide claims.

Resources