How to Block Logins Based on IdP Links in FusionAuth Without Storing API Keys in Lambdas
-
We need to prevent users from logging in through a specific flow if they are federated with one of our clients. This requires checking the /api/identity-provider/link API. Since we can’t store API keys in code, is there an internal way for a FusionAuth lambda to call this API without hardcoding the key?
-
Currently, FusionAuth lambdas cannot call the API without including an API key in the code — there’s no built-in secret manager for this yet (feature request).
Alternative approaches:
-
Webhook filtering (recommended)
Use the user.login.success webhook to check if the user is linked to an IdP, and reject the login by returning a non-200 response. This avoids storing API keys in lambdas, but adds an extra network call to each login. -
Store link data in user.data
Push IdP linking info into a custom user.data.links[] field so it’s accessible in most lambdas without needing an API call. You’ll need a process to keep this data current.
-
-
W wesley has marked this topic as solved on
-
Since we can’t store API keys in code,
FYI, with the release of 1.64.0, you now can store secrets elsewhere and have lambdas retrieve them.
