JWT Populate Lambda

brad

I'm using FusionAuth as the OIDC IdP for an application. The application is configured to include the profile scope in the authentication request, but when FusionAuth sends the JWT token, it doesn't include any of the profile fields. Shouldn't it send the profile fields automatically when the profile scope is included in the request?

Anyway, I tried to force it to send the profile data using the following lambda function:

function populate(jwt, user, registration) {
  jwt.name = user.data.fullName;
  jwt.family_name = user.data.lastName;
  jwt.given_name = user.data.firstName;
}

After creating this lambda, I enabled it in the JWT tab for the application. It's selected for both Access Token populate lambda and Id Token populate lambda, but it doesn't seem to do anything. It's still sending the JWT token without these fields.

mark.robustelli

@brad I looks like you are on the right path. Can you please send a screen shot of the configuration you have for the JWT tab and some sample code on how you are retrieving it?

brad

Screenshot below. I can't provide sample code because the integration is with a third-party application. However, when I enable debug mode in that application, it logs the JWT token it's receiving from FusionAuth:

{"aud":"bfa366a7-9e50-4df3-82d5-d111028370f1","exp":1706394906,"iat":1706391306,"iss":"clinicalmatchme.com","sub":"c975ef0e-eb44-412c-b8ad-766177677da2","jti":"2497e0e4-97e2-46ee-a5b8-4d691a79
f13b","authenticationType":"PASSWORD","email":"brad@hostland.com","email_verified":true,"at_hash":"5f5J3oDmyYCplIBG8J8Vig","c_hash":"GuLPkMegupiDHNt_xOcVQg","scope":"openid profile email","nonce":"plwzij","sid":"93dd553e-0742-4675-906e-0f59
fc0ef3df","auth_time":1706391306,"tid":"035c049b-5e2e-11ee-877a-02904e6a3dbf"}

You can see the profile scope is present, but FA is not sending any of the profile info, even with the lambda function enabled.

CleanShot 2024-01-30 at 11.51.04@2x.png

brad

@mark-robustelli Any feedback on this?

mark.robustelli

@brad, you may need to check if the lambda is actually running. I did this by creating a JWT Populate lambda and setting debug enabled = "true" and logging some info.

Screenshot 2024-02-09 at 8.31.38 AM.png

Then I logged in. I could see the results in the token.

Screenshot 2024-02-09 at 8.32.48 AM.png

More importantly, I was able to go to `System -> Event Log' and see that it ran.

Screenshot 2024-02-09 at 8.34.08 AM.png

Can you confirm yours is running? You should also be able to log the values you think you are setting for confirmation.

brad

Hi Mark,

Sorry for the long delay in responding. I figured out the problem was I was using user.data.firstName, etc... for the built-in profile fields. Instead, it should be user.firstName. It's working fine now; thank you for the guidance on how to debug it!