Secure way to distinguish SSO logins form username/password?

Hello, I would like to be able to tell from the idToken whether a users have been authenticated using SSO or email and password.

The reason is that we want to require additional security measures to users who log in via email and password, while users logging in via their azure AD integration already meet the security standard.

When we receive the idTokens, both types contains the users email, but only the idToken from users logged in with email/pw contains “nickname” - however, this doesn’t feel like a solid way of determining how the user was authenticated. What would be the right way to do this?

And, if the idToken is not the right thing to use for this, then what would be?

Thank you !

To follow up on my journey:

I have now realized that the “sub” property in the idToken is some sort of userId.
And I am now making a request:


which returns a user object (example):

  created_at: '2020-07-30T07:43:24.370Z',
  email: '',
  email_verified: false,
  identities: [
      user_id: 'xxxxxx1c73a8bb003d1f26fb',
      provider: 'auth0',
      connection: 'Username-Password-Authentication',
      isSocial: false
  name: '',
  nickname: 'user-nickname',
  picture: '',
  updated_at: '2023-03-06T13:57:48.315Z',
  user_id: 'auth0|xxxxxx1c73a8bb003d1f26fb'',
  last_ip: '12.34.567.100',
  last_login: '2023-03-06T13:57:48.315Z',
  logins_count: 131

Can I safely assume that the idToken that I used to get this information came from a email/password login? I would assert on user.identities[0].connection === 'Username-Password-Authentication'

Follow up questions:
1: Can identities be empty or longer than 1?
2: Is this the right approach?