FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Assigning Roles in FusionAuth Based on Identity Provider Login Source

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    webhook webhooks lambda
    1
    2
    11
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      My application has two network interfaces and can be accessed through both the Internet and our internal network. I want FusionAuth to assign a role to users, but *only* if they log in through our internal network. Since each network logs in through a separate identity provider, I thought about using a reconcile lambda. However, I want to avoid the internal role carrying over to the external network if the user is logged in from both locations. Can I access the identity provider information in the JWT populate lambda? If so, how? And is the “JWT Populate” lambda run only once immediately following the “JWT Reconcile”? Do you have other suggestions for how I might put this plan into practice?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        This is a little tricky since a user could log in from either provider at any given time. The JWT populate lambda only has access to the user object and the registration object so you would need something on either of those to reference in the lambda. Each time a user logs in from a Identity Provider, the user in FusionAuth gets updated with the user data from the IdP. So for the JWT populate to work, you would need both providers to have a custom data field that maps to the same user.data field in FusionAuth. Then have the JWT populate Lambda map this user.data to either a custom claim or to the roles claim in the JWT, whatever works to determine the internal role on your side. Essentially this field would get updated or overwritten every time the user logs in and which would means the JWT from that login should have the correct "role".

        https://fusionauth.io/docs/extend/code/lambdas/jwt-populate

        A JWT populate lambda runs whenever a JWT is minted and the reconcile lambda runs whenever a user logs in from an IdP. Which means there is a scenario if a user is logged in on both networks at the same time, it would not be accurate since the JWT from both sessions would be reading from user.data which got updated by the last IdP login. Something like the following feature would also likely be enough to solve this problem for you, we have a similar field on Webhooks but not in JWTs or Lambdas which would detail which IdP used to login.

        https://github.com/FusionAuth/fusionauth-issues/issues/1483

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post