Lambda how can we get the ID Token and Access Token?
For azure AD the User Info Endpoint does not offer any user claims, is it possible to someway access the ID Token and Access Token during the use of a Lambda?
dan last edited by
Hiya @matthew-frost ,
Welcome to the FusionAuth community!
I'm not quite sure what you're referring to.
https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile/ lets you pull info from the JWT provided by the UserInfo endpoint (the id_token). But that doesn't quite seem to be what you want, is it?
If you are trying to get data from the userinfo endpoint into the JWT created by FusionAuth, we often have folks store information in the
user.dataobject in the reconcile lambda, and then pull it out in a populate lambda.
Does that help?
@dan would you spare some more details of how this can be done? As I understand
Userinfo endpointresponse does not contain
access_tokenand they can only be found in
Token endpointresponse (at least this can be inferred from the Event log).
@egis That's what I'm seeing as well. I think the information from the
id_tokenreturned from the token endpoint response should be available to the OpenID reconcile lambda (the parameter jwt would imply the information is derived from a jwt), although that doesn't line up with the documentation above, which refers only to the
OpenID Connect Userinfoendpoint.
However, I can't test to confirm because of a different issue I'm experiencing with event logs.
@donal I have tried dumping all 3 lambda parameters to be sure but the documentation here https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile/ confirms that
jwtis just the response of the Userinfo endpoint (you can find that at the end of the first section).
I also found an issue on Github https://github.com/FusionAuth/fusionauth-issues/issues/323 and left a comment there. Also it doesnt seem there is a workaround for this.
I am slightly confused that this is rarely mentioned as a problem, especially when it comes to Azure AD, which I would assume is the most popular identity provider for companies/enterprises. But im just having a hard time finding a solution. Maybe im just doing it wrong.
@egis Yes - that would seem like it won't work for us either, as we can only retrieve the email address from the id_token. I guess I'll try a SAML connection to AzureAD instead ...
dan last edited by
Hey folks, I think I spoke too soon with my response 14 days ago. I misunderstood and assumed the id_token was available. There is a token on the reconcile lambda, but it is the access_token, not the id_token. My apologies.
That said, there is some work happening on issue 323 that you probably want to track: https://github.com/FusionAuth/fusionauth-issues/issues/323 (a comment or two way at the bottom). It's not finished yet, but we're looking at ways to make the id_token available to the open id connect reconcile lambda.