Idp link event not firing - am I doing something wrong?

I am integrating 3rd party Azure AD idps using OIDC as per the instructions here. I have elected to use the link on email strategy with a user that must exist in FusionAuth prior to linking. This works nicely and I can use the API to retrieve the link for a user when I've used Azure AD to authenticate at least once.

I have also set up a webhook for the user.identity-provider.link event. This works well when tested using the button in the UI, but never seems to fire for the actual live event in the above scenario - my webhook is never called. Below are some screenshots of the webhook configuration. Perhaps someone could verify that I've not missed anything that would explain the absent event?

Settings -> Webhooks

Tenants -> id -> Webhooks

I'm not sure this last enablement is required given the global setting, but it doesn't seem to make any difference either way - on or off.

My FusionAuth version is 1.40.2 running in Docker.

Thanks in advance for any ideas.

Having contemplated raising a bug for this issue, I've discovered that it, or something very similar, is in fact already the subject of a GitHub Issue. The issue was raised out of this Forum Thread, which provides some avenues for further investigation. Thanks for the responses @mark-robustelli & @kvi68507

@kvi68507 Thanks for the reply, and Happy New Year, I'm back from vacation and looking at this again.

There is no mention in those debug logs of anything being stored, nor specifically of a token being processed, though the values are logged-out. Below is one such log entry, with sensitive information changed/obfuscated.

OpenID Connect IdP Response Debug Log for [AAD [Customer]] [8a3c7f38-472e-4123-9535-1ce307e62892]

1/6/2025 12:33:47 PM Z Call the configured Token endpoint [https://login.microsoftonline.com/289b660e-0782-4c53-9c0b-842e7a78127b/oauth2/v2.0/token]
1/6/2025 12:33:47 PM Z Endpoint returned status code [200]
1/6/2025 12:33:47 PM Z Access Token Response:
{
  "token_type" : "Bearer",
  "scope" : "email openid profile GroupMember.Read.All User.Read",
  "expires_in" : 4370,
  "ext_expires_in" : 4370,
  "access_token" : "XYZ",
  "id_token" : "ABC"
}
1/6/2025 12:33:47 PM Z Call the configured Userinfo endpoint [https://graph.microsoft.com/oidc/userinfo]
1/6/2025 12:33:47 PM Z Endpoint returned status code [200]
1/6/2025 12:33:47 PM Z Build a new user object from the returned Userinfo response:
{
  "sub" : "nUg...vTE",
  "name" : "John, Smith
  "family_name" : "Smith",
  "given_name" : "John",
  "picture" : "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email" : "john.smith@example.com"
}
1/6/2025 12:33:47 PM Z Linking strategy [LinkByEmailForExistingUser]
1/6/2025 12:33:47 PM Z Resolved email to [john.smith@example.com]
1/6/2025 12:33:47 PM Z Resolved username to [null]
1/6/2025 12:33:47 PM Z Resolved unique Id to [nUg...vTE]
1/6/2025 12:33:47 PM Z Identity provider returned a unique Id [nUg...vTE].
1/6/2025 12:33:47 PM Z User with Id [ef92b199-78eb-4e1b-a11c-961479ac189f] is linked to this external user.
1/6/2025 12:33:47 PM Z Updating user: 
{
  "active" : true,
  "connectorId" : "8f95b8fa-dbad-4abd-a181-c1588aa789c6",
  "data" : {},
  "email" : "john.smith@example.com",
  "firstName" : "John",
  "fullName" : "John Smith",
  "id" : "ef92b199-78eb-4e1b-a11c-961479ac189f",
  "insertInstant" : 1680595126370,
  "lastLoginInstant" : 1734609341287,
  "lastName" : "Smith",
  "lastUpdateInstant" : 1734609015397,
  "memberships" : [ ],
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1680595126653,
  "preferredLanguages" : [ ],
  "registrations" : [ ],
  "tenantId" : "48a37aac-f779-4fce-82a1-f26f6406fc43",
  "twoFactor" : {
    "methods" : [ ],
    "recoveryCodes" : [ ]
  },
  "uniqueUsername" : "john.smith@example.com",
  "username" : "john.smith@example.com",
  "usernameStatus" : "ACTIVE",
  "verified" : true
}
1/6/2025 12:33:47 PM Z User is already registered for application with Id [ff737d7b-7d9a-479a-b09b-139ad8b8b813].
1/6/2025 12:33:47 PM Z User has successfully been reconciled and logged into FusionAuth.
1/6/2025 12:33:47 PM Z Authentication type: OPENID_CONNECT
1/6/2025 12:33:47 PM Z Authentication state: Authenticated

As you can see, the token and user info endpoints at Microsoft are called, but there's no specific mention of anything being stored, just the user record being updated. Are you familiar with these logs and have seen output that does mention storage activities?

Thanks
Stefan

@mark-robustelli thanks for the response, I didn't see it at the time hence the rather slow reply. I was using the version of Retrieve a Link that takes IDP id and FusionAuth user ID. The response to that call contains non-null non-empty values for all the following properties nested within an array of identityProviderLink instances:

• displayName
• identityProviderId
• identityProviderName
• identityProviderType
• identityProviderUserId
• insertInstant
• lastLoginInstant
• tenantId
• userId

The only field returned with a consistently blank string value is identityProviderLink.token. This is documented as containing the "The token returned from the identity provider". I guess that could mean any of a number of tokens, but I assumed it to mean the access token response?

Debug logs show an AAD Access Token Response structure that contains populated values for access_token and id_token.

We are using themed versions of the FusionAuth login pages, though we're also using idp hints on the login URL to bypass the login forms in the instance where a user is authenticated by a 3rd party IDP.

We are using Azure AD as an external identity provider via the OIDC integration, which works great and users are authenticated as expected, happy days.

We have recently however had a customer request that would require us to retrieve the access token returned from Azure AD for further processing. We can see from the debug logs that the access token is returned from Azure AD, but using the Retrieve a Link API yields an empty token property in the response in all instances. While the API documentation does say that the token may not be available in all cases, other documentation specifically for the Azure AD OIDC integration details a token storage step in the authentication flow. Have we misinterpreted the documentation here or should the token be available?

Hi Josh,

Thanks for taking the time to reply. In the scenario outlined I perhaps didn't mention that the users I was expecting the webhook to fire for already existed in FusionAuth prior to Azure AD sign-in. Should I expect the event to trigger in that instance?

Regards
Stefan

I am integrating 3rd party Azure AD idps using OIDC as per the instructions here. I have elected to use the link on email strategy with a user that must exist in FusionAuth prior to linking. This works nicely and I can use the API to retrieve the link for a user when I've used Azure AD to authenticate at least once.

I have also set up a webhook for the user.identity-provider.link event. This works well when tested using the button in the UI, but never seems to fire for the actual live event in the above scenario - my webhook is never called. Below are some screenshots of the webhook configuration. Perhaps someone could verify that I've not missed anything that would explain the absent event?

Settings -> Webhooks

Tenants -> id -> Webhooks

I'm not sure this last enablement is required given the global setting, but it doesn't seem to make any difference either way - on or off.

My FusionAuth version is 1.40.2 running in Docker.

Thanks in advance for any ideas.