Making API calls against a user who is federating into FusionAuth

Suppose I have users who are going to federate into FusionAuth via another OIDC or SAML server. They are going to be created on demand. After they are created, I want to use Lambda HTTP Connect to call into FusionAuth to add them to a group, register them for an application or otherwise manipulate their account based on attributes from the remote identity store.

I tried to do that in the OIDC reconcile lambda, but the user isn't created yet, so I can't, for example, add them to a group or grant them permissions on an entity.

What is the best way to solve this?

The easiest thing to do is to store the value on the user.data object in the reconcile lambda, and then pull it off in the JWT populate lambda.

The JWT populate lambda will only be called if the authorization code grant is completed and an access token is generated, but you should be doing that in your application.

So what it looks like is:

• user visits your application
• user clicks 'login'
• user clicks 'login with OIDC'
• user authenticates
• user returned to FusionAuth
• reconcile lambda runs, setting values on user.data
• user object is created
• JWT populate lambda runs, pulling values from user.data and calling FusionAuth APIs to add user to a group or grant them permissions on an entity
• user object is updated, user exists in FusionAuth