Apple Reconcile Lambda

When an Apple identity provider is used to complete a federated login request, FusionAuth will use the configured linking strategy to reconcile the user. FusionAuth will attempt to match the user information returned from the Apple identity provider to an existing user account or create a new one.

You may optionally utilize a lambda to customize the user and user registration during the authentication event.

When you create a new lambda using the FusionAuth adminstrative user interface, you will be provided an empty function to implement.

Lambda Structure

If you are using the API to create the lambda you will need to ensure your function has the following signature:

function reconcile(user, registration, idToken) {
  // Lambda code goes here

This lambda must contain a function named reconcile that takes three parameters. The parameters that the lambda is passed are:

  • user - the FusionAuth User object. You can modify this, except the email or username attribute may not be modified after the user has been linked.
  • registration - the FusionAuth UserRegistration object. You can modify this.
  • idToken - the JSON payload of the validated and decoded Id Token returned from Apple. This is read-only.

The two FusionAuth objects are well documented here in the User API and Registration API documentation. The Id Token object that contains the payload returned by Apple and may contain well known OpenID Connect registered claims as well as any custom claims defined by Apple.

Assigning The Lambda

Once a lambda is created, you may assign it to the Apple identity provider in the IdP configuration.

Navigate to Settings -> Identity Providers and select your existing Apple configuration or click Add provider and select Apple if it has not yet been configured.

Default Lambda

A default Apple reconcile lambda is available in FusionAuth that may be used or modified. The default Apple lambda function is documented below.

// This is the default Apple reconcile, modify this to your liking.
function reconcile(user, registration, idToken) {
  // Un-comment this line to see the idToken object printed to the event log
  //, null, 2));

  // During the first login attempt, the user object will be available which may contain first and last name.
  if (idToken.user && {
    user.firstName = || user.firstName;
    user.lastName = || user.lastName;