Pass encoded id token to openid reconcile lambda

[tobilen]

Pass encoded id token to openid reconcile lambda

Problem

I want to control access to FusionAuth application based on custom claims sent by an IDP.

Specifically, i want to set FusionAuth groups based on group claims from an Azure AD openid IDP. The group claims are inside the id_token, and the id_token is encrypted with RS256.

Since FusionAuth can not decode id_tokens using this algorithm, it does not pass along a value to the reconcile lambda (see #323 (comment)).

Solution

I would like the encoded id_token to be passed to the reconcile lambda. I can then pass it along via HTTPConnect to my own endpoint that can verify and decode the id_token against the azure JWKS and use the API to set groups in fusionauth.

Alternatives/workarounds

I don't have a workaround for this problem.

Related

• Access to more data from a Lambda? #229
• Make an OIDC IdPaccess_token available to the reconcile lambda #2494
• OpenID Connect Reconcile Lambda: id_token with a RSA Signature is provided #2501

Documentation

• Document new argument to the OpenID Connect reconcile lambda that contains the id_token and access_token

Release Notes

Expose the id_token returned by the Identity Provider to the Reconcile Lambda function when available. If the id_token is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in the tokens argument. Example: tokens.id_token.

[robotdan]

We will probably do this for good measure, but I think we will also plan to verify the id_token ourselves using the published JSON Web Keys from the JWKS endpoint so the user does not need to make this external request.

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/334

[robotdan]

Handling via #2501

[robotdan]

The Reconcile Lambda will have a 5th argument that will contain the access_token and id_token (if signature has been verified).

/**
* This is the default OpenID Connect reconcile, modify this to your liking. Modify the user
* and registration objects using the incoming values from the identity provider.
*
* @param {Object} user - the FusionAuth user
* @param {Object} registration - the FusionAuth user registration
* @param {Object} jwt - the JSON response from the UserInfo endpoint
* @param {Object} [idToken] - the decoded JSON payload of the id_token. The id_token is available when the
*                             'openid' scope was requested, and the signature can be successfully verified.
* @param {Object} tokens an object containing the encoded access_token and when available the id_token. The
*                        id_token is only available when returned by the IdP and the signature has been verified.
*/
function reconcile(user, registration, jwt, idToken, tokens) {
   // Example:
   // tokens.access_token
   // tokens.id_token
}