JWT Populate Lambda

brad · 27 Jan 2024, 21:32

I'm using FusionAuth as the OIDC IdP for an application. The application is configured to include the profile scope in the authentication request, but when FusionAuth sends the JWT token, it doesn't include any of the profile fields. Shouldn't it send the profile fields automatically when the profile scope is included in the request?

Anyway, I tried to force it to send the profile data using the following lambda function:

function populate(jwt, user, registration) {
  jwt.name = user.data.fullName;
  jwt.family_name = user.data.lastName;
  jwt.given_name = user.data.firstName;
}

After creating this lambda, I enabled it in the JWT tab for the application. It's selected for both Access Token populate lambda and Id Token populate lambda, but it doesn't seem to do anything. It's still sending the JWT token without these fields.

mark.robustelli · 30 Jan 2024, 15:46

@brad I looks like you are on the right path. Can you please send a screen shot of the configuration you have for the JWT tab and some sample code on how you are retrieving it?

brad · 30 Jan 2024, 15:56

Screenshot below. I can't provide sample code because the integration is with a third-party application. However, when I enable debug mode in that application, it logs the JWT token it's receiving from FusionAuth:

{"aud":"bfa366a7-9e50-4df3-82d5-d111028370f1","exp":1706394906,"iat":1706391306,"iss":"clinicalmatchme.com","sub":"c975ef0e-eb44-412c-b8ad-766177677da2","jti":"2497e0e4-97e2-46ee-a5b8-4d691a79
f13b","authenticationType":"PASSWORD","email":"brad@hostland.com","email_verified":true,"at_hash":"5f5J3oDmyYCplIBG8J8Vig","c_hash":"GuLPkMegupiDHNt_xOcVQg","scope":"openid profile email","nonce":"plwzij","sid":"93dd553e-0742-4675-906e-0f59
fc0ef3df","auth_time":1706391306,"tid":"035c049b-5e2e-11ee-877a-02904e6a3dbf"}

You can see the profile scope is present, but FA is not sending any of the profile info, even with the lambda function enabled.

brad · 7 Feb 2024, 20:02

@mark-robustelli Any feedback on this?

mark.robustelli · 9 Feb 2024, 15:34

@brad, you may need to check if the lambda is actually running. I did this by creating a JWT Populate lambda and setting debug enabled = "true" and logging some info.

Then I logged in. I could see the results in the token.

More importantly, I was able to go to `System -> Event Log' and see that it ran.

Can you confirm yours is running? You should also be able to log the values you think you are setting for confirmation.

brad · 20 Oct 2024, 18:32

Hi Mark,

Sorry for the long delay in responding. I figured out the problem was I was using user.data.firstName, etc... for the built-in profile fields. Instead, it should be user.firstName. It's working fine now; thank you for the guidance on how to debug it!