FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Custom linking is incomplete?

    Scheduled Pinned Locked Moved
    Comments & Feedback
    identity provider login login-api
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pavol
      last edited by

      Hi!
      We're currently migrating our auth system into FA. During 3rd party login migration, we found out that our login and sign-up scenarios are not completely covered by FA OR I am missing on how to complete some steps here.

      We have 3 scenarios when users are coming into our app through 3rd party login (google, apple...).

      1. The user already has an account, calling the identity provider login API will result in them getting into the app.
      2. The user has an account but is using a new identity provider to log in. Using automatic linking, calling identity provider login will have the same result as scenario #1.
      3. The user has no account, calling identity provider login will create a new account for them and have the same result as scenario #1.

      Now scenario #3 is where we have some problems. If we are creating accounts using the create user API call, we can supply extra metadata about the user in the data property. Then we can pick them up using the user.create webhook.
      This option is simply not there for identity provider login. Anything provided in the data prop will be stripped and not visible in the webhook event.

      This made me look into the option of Link On Email. Do not create the user if they do not exist. This would work if we also got more info from the failed identity provider login (such as email and 3rd party token). Then we could attach it to the create user request body and have more control over what we're putting into the data there.

      So this made me look into the Create a Pending Link option. This however breaks scenario #2 AND the pending link doesn't return with email/username information so we don't know what to put into the create user request body.

      This makes me believe that fusionauth could benefit from 2 things:

      1. Add option Link Existing User and Create pending link for new user in identity provider settings
      2. Return the email/username with the pending link so we can create users more easily.

      I also noticed that there's eventInfo in the request body of the identity provider login call and that one will show in the user.create event, but I can't find docs about this, so I am not sure if this is what it's meant for.

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @pavol
        last edited by

        Hiya @pavol ,

        I'm not sure I completely understand the issue.

        Basically, it seems like the issue is there is data you send during the login which you want stored in user.data. You can do this with the user create API but not with the idp login API call.

        So it sounds like if we can solve that, the current linking strategies will work, correct?

        The data field in the idp login API call is not a general purpose data field.

        I'd probably suggest one of two options. In either case, store off the additional data in a database you manage and tie it to the user's email address (perhaps just before login).

        • make the data available via an API. Then, in a reconcile lambda, look up the data using an HTTP Lambda Connect fetch call (requires Essentials or above).
        • in a login success complete webhook, update the user with the data. This has the downside of not having the data available on the first login. To workaround that, you could have your application look up the data the first time.

        Let me know if I don't totally understand your question/issue or if you have other thoughts.

        I also noticed that there's eventInfo in the request body of the identity provider login call and that one will show in the user.create event, but I can't find docs about this, so I am not sure if this is what it's meant for.

        That is generally used to capture device and location information about a login event.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        P 1 Reply Last reply Reply Quote 0
        • P
          pavol @dan
          last edited by

          @dan Sorry I think I lost the notification about your reply somewhere.

          Basically, it seems like the issue is there is data you send during the login which you want stored in user.data. You can do this with the user create API but not with the idp login API call.

          Almost, it's not during login but during registration, just with idp it's a login call that can result in registration.

          I think being able to solve this would solve the issue.

          The suggestions you gave are not very atomic. We have many users with spotty network connections, so we're trying to stick here with 1 API call for registrations.

          danD 1 Reply Last reply Reply Quote 1
          • danD
            dan @pavol
            last edited by

            The suggestions you gave are not very atomic. We have many users with spotty network connections, so we're trying to stick here with 1 API call for registrations.

            I hear you. I think we already have some open issues about this, but if you'd like to file an issue outlining your preferred workflow, that'd be great.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.