RE: OpenID reconcile not executing?

Hi @Joshua,

It seems this is working as expected as @egis described. FusionAuth needs to find an email claim in the response from the userinfo endpoint (or username, depending on the linking method) before running the reconcile lambda. I confirmed this by linking on username instead and setting preferred_username to sub and was able to confirm that the reconcile lambda executed. I had mistakenly thought that the lambda ran before linking occurred and could be used to populate email.

In my case, the issue is that my IDP (AzureAD) does not return email from the userinfo endpoint. AzureAD is very restricted in what it returns from the userinfo endpoint and allows not customization or claim mapping. It seems AzureAD populates the email claim with Primary SMTP email address, which is reserved field from Exchange, however we don't use Exchange/Outlook365 as our email service provider.

In Azure, claim mapping can only be applied to the access and id tokens and not what is returned from the userinfo endpoint. However, these tokens are not available to the lambdas.

I believe there is already a Github issue created for this:
https://github.com/FusionAuth/fusionauth-issues/issues/323

In the meantime, I'm using SAML instead, because AzureAD allows me to map email address to user.mail which is where it is stored in our case.

@egis Yes - that would seem like it won't work for us either, as we can only retrieve the email address from the id_token. I guess I'll try a SAML connection to AzureAD instead ...

@egis That's what I'm seeing as well. I think the information from the id_token returned from the token endpoint response should be available to the OpenID reconcile lambda (the parameter jwt would imply the information is derived from a jwt), although that doesn't line up with the documentation above, which refers only to the OpenID Connect Userinfo endpoint.

However, I can't test to confirm because of a different issue I'm experiencing with event logs.

I have the scope set to 'openid email'. I also tried just 'openid'. I also tried setting the linking strategy to 'Create a pending link'.

In all cases, it appears either the reconciler is not executing or nothing is being logged out.

I extracted the id_token from the "OpenID Connect IdP Response Debug Log" and inspected it. There is an email address in the "preferred_username" field in the id_token, but it is not returned in the userinfo response.

Hi,

I recently installed and configured FusionAuth using the Helm Chart here.

I am trying to test SSO from an AzureAD directory and needed to use a reconcile lambda to populate email address (since it is not returned in the userinfo response from Azure in our case, however appears to be present in the id token).

I have enabled an OpenID reconcile lambda with the following code (and set "Debug enabled" to true):

function reconcile(user, registration, jwt) {
  console.info(JSON.stringify(jwt, null, 2));
}

I confirmed this lambda is selected as the reconcile lambda on the IDP edit page. I also set "Debug enabled" to true for both the IDP and the application.

However, the only output I see in the event logs are the "OpenID Connect IdP Response Debug Log" for each attempted log in. I'm not filtering the logs by type or date. I'm not sure if the reconcile lambda is executing and not logging to the event log, or just not executing at all. I expect that some other logs should be written to the Event Log, based on the debug settings described above?

I wonder if anyone else has run into this before?

Thanks,
Dónal