Lambdas

Lambdas

A FusionAuth lambda is a JavaScript function that can be used to augment or modify runtime behavior.

FusionAuth leverages lambdas to handle different events that occur inside it as well as customize tokens and messages that FusionAuth sends such as JWTs or SAML responses. A lambda may optionally configured to be invoked when these events occur. Developers can write lambdas in the FusionAuth UI or can upload lambdas via the API.

Here’s a brief video covering some aspects of lambdas:

Here is an example of a FusionAuth lambda that adds some additional fields to a JWT: 

function populate(jwt, user, registration) {
  jwt.roles = registration.roles || [];
  jwt.favoriteColor = user.data.favoriteColor;
}

Lambdas a typed according to their intended purpose, the following lambdas are currently supported:

JavaScript

FusionAuth is using the Nashorn JavaScript engine to compile and execute lambdas functions. The Nashorn engine supports ECMA script version 5.1.

Console

In addition to the standard JavaScript objects and constructs, FusionAuth provides the console object to allow you to create entries in the Event Log during a lambda invocation.

Available methods:

  • info - Create an event log of type Information

  • log - alias to the info method

  • debug - Create an event log of type Debug (only when the Lambda has enabled Debug)

  • error - Create an event log of type Error

The log, info and error will always cause Event Log entries to be created as a result of the lambda invocation. The log method is an alias to the info method. Messages created using the debug method will only be added to the Event Log when you have enabled Debug in your lambda configuration.

Message of each type are accumulated during the lambda invocation and a maximum of one event log of each type will be created as a result of the lambda invocation. This means making multiple requests to console.info in the lambda function body will result in a single event log of type Information.

When logging objects, you’ll need to stringify them to see their data. 

function populate(jwt, user, registration) {
  //...
  console.log(user); // doesn't log any data other than the fact a user is an object. Probably not what you want.
  console.log(JSON.stringify(user)); // outputs all the properties of the user object.
  console.log(JSON.stringify(user, null, ' ')); // pretty prints the user object.
  //...
}

Engine

Nashorn is built on top of the Java virtual machine and while Nashorn permits access to the Java API, for security reasons FusionAuth restricts access to all Java objects during a lambda invocation. Here is the documentation provided by Oracle for the Nashorn engine:

https://docs.oracle.com/javase/8/docs/technotes/guides/scripting/nashorn/

Limitations

The FusionAuth lambdas do not have full access to JavaScript modules and libraries. They also cannot import, require or load other libraries currently. These features might be added to our lambda support in the future but Nashorn does not support them currently.

Future engines

The Nashorn engine is being phased out of Java in favor of more robust and advanced engines. At any point in the future, we might switch from Nashorn to another JavaScript engine like V8. Therefore, use Nashorn features at your own risk.