FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to Block Logins Based on IdP Links in FusionAuth Without Storing API Keys in Lambdas

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    webhooks lambda webhook
    1
    2
    5
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We need to prevent users from logging in through a specific flow if they are federated with one of our clients. This requires checking the /api/identity-provider/link API. Since we can’t store API keys in code, is there an internal way for a FusionAuth lambda to call this API without hardcoding the key?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Currently, FusionAuth lambdas cannot call the API without including an API key in the code — there’s no built-in secret manager for this yet (feature request).

        Alternative approaches:

        1. Webhook filtering (recommended)
          Use the user.login.success webhook to check if the user is linked to an IdP, and reject the login by returning a non-200 response. This avoids storing API keys in lambdas, but adds an extra network call to each login.

        2. Store link data in user.data
          Push IdP linking info into a custom user.data.links[] field so it’s accessible in most lambdas without needing an API call. You’ll need a process to keep this data current.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post