[keycloak-user] Getting grant from access token

[Seán Kelleher]

Hi everyone,

This is my first time using this service, so apologies if I've overlooked a
precondition for posting.

Is there a way to retrieve or derive the grant that was used to obtain a
particular access token, from the access token itself?

My use case is that I have an `/accept_tos` endpoint that takes an IP
address, which is logged as having accepted our terms of service. This is
under the assumption that the endpoint is being called by a client
application that authenticated the user using an authorization code grant.
However, we now also support logins using the implicit flow, so the
acceptance request is no longer being relayed by a third party client, but
is instead being made by the client itself. In this case I want the app to
use `/accept_tos_direct`, which will use the IP address of the request
itself (accounting for reverse proxies) instead of taking it from the body
of the request. Of course, a client could try and determine its own IP
address and supply that using `/accept_tos`, but I feel like this is a
slightly hacky workaround and may lend itself to error.

I want to be able to prevent clients from using the wrong endpoint, based
on the grant they used to retrieve their access token. At the moment, I
don't see any fields in the access token that can be used to get this
information, or how I could enable such a field. I thought the "aud" field
could fit the purpose, assuming that it was something like "<client_id>" in
the case of an authorization code grant and something like
"resource_server" in the case of an implicit grant, but when I tested this
assumption, access tokens from both grants gave a value of `["<client_id>",
"account"]`. Does anyone have any suggestions as to how I could get this
behaviour?

Kind regards,

Seán.