FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. justing
    3. Best
    J
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 4
    • Best 2
    • Controversial 0
    • Groups 0

    Best posts made by justing

    • Pending link with manual completion

      I want to allow a logged in user to link with a third-party identity provider so my app can get a token for that provider. I'm trying to use a pending link, but the problem I am running into is that FusionAuth wants the complete the pending link instead of allowing my application to complete it. Is it possible to do what I want? When I call fusionauth/oauth2/authorize I already have the user's FusionAuth ID, so I just want the pending link ID to finish the link myself.

      Current setup:
      I have a non-browser client application that is not using hosted login, but is instead using api/login.
      I have an existing user in Fusion Auth (self hosted) with no linked accounts and registered to my application.
      I created an OIDC identity provider with the link strategy of Pending Link and set Create Registration to false. No reconcile lambda.
      An identity provider with the same client id/secret and endpoints works to create FusionAuth accounts when linking strategy is "Link on email" and Create Registration is true.
      I have a web server that exposes endpoints for the client and makes requests to FusionAuth.

      What I tried/expected:

      1. Client app opens browser to mysite/authorizelink, passing the FusionAuth token returned by /api/login and an Identity Provider ID.
      2. mysite calls fusionauth/oauth2/authorize with idp_hint and response type "code".
      3. Browser is redirected to provider/oauth2/authorize
      4. User logs in to provider & authorizes
      5. Provider redirects browser to fusionauth/oauth2/callback with authorization code
      6. FusionAuth redirects browser to mysite/authorizelinkcallback
      7. mysite calls fusionauth/api/identity-provider/login with application ID, authorization code, redirect uri, and IdP ID.
      8. If a pending link id is retrieved, mysite calls fusionauth/api/identity-provider/link with the FusionAuth user ID and pending link ID.

      What happens:
      Steps 1 through 5 go as expected.
      After being redirected to fusionauth/oauth2/callback, instead of being redirected to mysite/authorizelinkcallback, the browser is instead redirected to fusionauth/oauth2/start-idp-link, which prompts the user to login or cancel the link request.

      posted in Q&A
      J
      justing
    • RE: Pending link with manual completion

      @dan Thanks for the help, I was able to get it working.

      If it helps anyone else, my problem was misunderstanding how to properly do custom login/linking. I was trying to get FusionAuth to acquire the authorization code from the third-party provider and then return it to my code, where I would call further api functions. Everything works fine now that I acquire the authorization code directly and pass it to the FusionAuth api calls.

      posted in Q&A
      J
      justing