Lambda how can we get the ID Token and Access Token?

matthew.frost

For azure AD the User Info Endpoint does not offer any user claims, is it possible to someway access the ID Token and Access Token during the use of a Lambda?

dan

Hiya @matthew-frost ,

Welcome to the FusionAuth community!

I'm not quite sure what you're referring to.

https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile/ lets you pull info from the JWT provided by the UserInfo endpoint (the id_token). But that doesn't quite seem to be what you want, is it?

If you are trying to get data from the userinfo endpoint into the JWT created by FusionAuth, we often have folks store information in the user.data object in the reconcile lambda, and then pull it out in a populate lambda.

Does that help?

Thanks,
Dan

egis

@dan would you spare some more details of how this can be done? As I understand Userinfo endpoint response does not contain id_token/access_token and they can only be found in Token endpoint response (at least this can be inferred from the Event log).

Thanks.

donal

@egis That's what I'm seeing as well. I think the information from the id_token returned from the token endpoint response should be available to the OpenID reconcile lambda (the parameter jwt would imply the information is derived from a jwt), although that doesn't line up with the documentation above, which refers only to the OpenID Connect Userinfo endpoint.

However, I can't test to confirm because of a different issue I'm experiencing with event logs.

egis

@donal I have tried dumping all 3 lambda parameters to be sure but the documentation here https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile/ confirms that jwt is just the response of the Userinfo endpoint (you can find that at the end of the first section).

I also found an issue on Github https://github.com/FusionAuth/fusionauth-issues/issues/323 and left a comment there. Also it doesnt seem there is a workaround for this.

I am slightly confused that this is rarely mentioned as a problem, especially when it comes to Azure AD, which I would assume is the most popular identity provider for companies/enterprises. But im just having a hard time finding a solution. Maybe im just doing it wrong.

donal

@egis Yes - that would seem like it won't work for us either, as we can only retrieve the email address from the id_token. I guess I'll try a SAML connection to AzureAD instead ...

dan

Hey folks, I think I spoke too soon with my response 14 days ago. I misunderstood and assumed the id_token was available. There is a token on the reconcile lambda, but it is the access_token, not the id_token. My apologies.

That said, there is some work happening on issue 323 that you probably want to track: https://github.com/FusionAuth/fusionauth-issues/issues/323 (a comment or two way at the bottom). It's not finished yet, but we're looking at ways to make the id_token available to the open id connect reconcile lambda.