You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to control access to FusionAuth application based on custom claims sent by an IDP.
Specifically, i want to set FusionAuth groups based on group claims from an Azure AD openid IDP. The group claims are inside the id_token, and the id_token is encrypted with RS256.
Since FusionAuth can not decode id_tokens using this algorithm, it does not pass along a value to the reconcile lambda (see #323 (comment)).
Solution
I would like the encoded id_token to be passed to the reconcile lambda. I can then pass it along via HTTPConnect to my own endpoint that can verify and decode the id_token against the azure JWKS and use the API to set groups in fusionauth.
Document new argument to the OpenID Connect reconcile lambda that contains the id_token and access_token
Release Notes
Expose the id_token returned by the Identity Provider to the Reconcile Lambda function when available. If the id_token is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in the tokens argument. Example: tokens.id_token.
The text was updated successfully, but these errors were encountered:
We will probably do this for good measure, but I think we will also plan to verify the id_token ourselves using the published JSON Web Keys from the JWKS endpoint so the user does not need to make this external request.
The Reconcile Lambda will have a 5th argument that will contain the access_token and id_token (if signature has been verified).
/**
* This is the default OpenID Connect reconcile, modify this to your liking. Modify the user
* and registration objects using the incoming values from the identity provider.
*
* @param {Object} user - the FusionAuth user
* @param {Object} registration - the FusionAuth user registration
* @param {Object} jwt - the JSON response from the UserInfo endpoint
* @param {Object} [idToken] - the decoded JSON payload of the id_token. The id_token is available when the
* 'openid' scope was requested, and the signature can be successfully verified.
* @param {Object} tokens an object containing the encoded access_token and when available the id_token. The
* id_token is only available when returned by the IdP and the signature has been verified.
*/
function reconcile(user, registration, jwt, idToken, tokens) {
// Example:
// tokens.access_token
// tokens.id_token
}
Pass encoded id token to openid reconcile lambda
Problem
I want to control access to FusionAuth application based on custom claims sent by an IDP.
Specifically, i want to set FusionAuth groups based on group claims from an Azure AD openid IDP. The group claims are inside the id_token, and the id_token is encrypted with RS256.
Since FusionAuth can not decode id_tokens using this algorithm, it does not pass along a value to the reconcile lambda (see #323 (comment)).
Solution
I would like the encoded id_token to be passed to the reconcile lambda. I can then pass it along via HTTPConnect to my own endpoint that can verify and decode the id_token against the azure JWKS and use the API to set groups in fusionauth.
Alternatives/workarounds
I don't have a workaround for this problem.
Related
access_token
available to the reconcile lambda #2494Documentation
Release Notes
Expose the
id_token
returned by the Identity Provider to the Reconcile Lambda function when available. If theid_token
is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in thetokens
argument. Example:tokens.id_token
.The text was updated successfully, but these errors were encountered: