3rd Party Authentication

it-contracts

I'm putting together a system in which we will use 3rd party authentication, Like Google and Azure, and then do the Authorization ourselves. I have the code working with both Google and Azure but now my company wants to use FusionAuth to do the same.
In order to do the Authorization, I need to know who the user is, hence, I need to be able to retrieve the user info from the Authentication provider.
With Google this normally takes 3 calls.
Call 1 retrieved the "code"
Call 2 retrieves the Access Token with the code.
Call 3 retrieves the User Info with the Access Token.

From the FusionAuth documentation I'm able to see how to do the same. Meaning get the user info from Google in 3 calls. My question is, can I accomplish the retrieval of the user info from Google with a single FusionAuth call?

TIA
Rudy

it-contracts

@it-contracts Forgot to note that we are implementing the Cloud solution and are therefore running the latest version of FusionAuth.
Not really sure which Logs to post, so am hoping to get some instructions.

TIA

mark.robustelli

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

it-contracts

@mark-robustelli Hi Mark.
Yes. I just want to know if there is a more efficient way to do this.

Thank you for your reply.

it-contracts

@mark-robustelli Found the following paragraph in the FusionAuth documentation:

"Complete the Google Login
This API allows you to complete a Google login after authenticating a user using the Google API. If you are using the FusionAuth login UI with the Google button you will not utilize this API directly.

This API is intended to be used if you want to build your own login page and you have added the Google login button to your own login page and you then need to complete the login with FusionAuth.

For example, if you built your own login page, you could add a "Login with Google" button and complete the Google authentication. When you complete the Google authentication you will have been returned a token or code from Google. Using this API you can pass that token or code to FusionAuth and we will complete the login workflow and reconcile the user to FusionAuth."

From the following Link: link to text

About 2/3 down the page. This seems to imply that if I use FusionAuth Login all 3 steps will be done by FusionAuth. Am I misreading this passage?

Rudy

kash

You're definitely right. FusionAuth can handle all 3 steps and should take less calls.

You can add a google identity provider under 'Identity Providers' using a oauth client id and secret.

mark.robustelli

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

it-contracts

@kash said in 3rd Party Authentication:

You're definitely right. FusionAuth can handle all 3 steps and should take less calls.

You can add a google identity provider under 'Identity Providers' using a oauth client id and secret.

Thank kash and Mark for your replies. I really appreciate them as I feel a bit lost.
kash I did add the Google identity provider using Google Client Id and Secret, however, I'm seeing someone calling my callback program/servlet after step 1. Where Google return the code. The code is what one uses to obtain the Authorization Token. And then the Authorization Token is used to retrieve the User Info.
So, it seems to me that I'm missing something. How do I invoke the flow so that FusionAuth handles all 3 calls and just returns to me the JSON with the User Info?

I initiate the flow by using the URL for my application in my browser which takes me to the FusionAuth login screen with the button that says Login with Google. Once I proceed and login my callback routine is called with the code as I mentioned above and I'm left to try to complete the flow on my own.

TIA
Rudy

kash

Don't worry you almost got it.

The callback is the first step in the right direction. We need the code parameter from that callback to obtain the authorization token like you mentioned.

Do you mind posting a little more about what callback program/servlet you're using? It shouldn't be too many steps after that.

it-contracts

@kash Thank you kash for your reply once more. I'm not sure I understand what you are asking for. But would be happy to provide whatever details you need.

Just to reiterate. I have initially completed a project that uses Google and other 3rd party authenticators directly. And it works perfectly. However, now my company wants to use FusionAuth. So I have to start from the beginning. Yay me!

The previous process as I mentioned called Google 3 times. First call was to get the code. Google called the "callback" servlet with the code which I used to obtain the Authorization Token. I then proceeded to call Google for the 3rd time with the Authorization Token to get the user info. This all works.

I thought that FusionAuth would perform all 3 steps for me. Meaning I would call it once and it would return to me the User Info. However, when I call FusionAuth, I see that my callback is called after step 1, which is where Google returns the code. And I have to call Google myself for calls 2 and 3. Which is very challenging since the callback (i.e. redirect_uri parameter must be identical between calls 1 and 2).

At the moment, my callback servlet simply calls Google to obtain the Authentication Token based on the code that was returned. Initially, I had code in my callback servlet to parse the User response that I was hoping to get back from FusionAuth. Alas, that code had to be commented out. As I'm still not sure how to call FusionAuth to get it to perform all 3 steps for me.

Meaning what URL should I be using to get FusionAuth to perform all 3 steps for me?

In my previous reply I posted the image of the URL I'm using now.

TIA
Rudy

kash

Alrighty let's try this. We'll maybe add a few more calls but we'll get it working

First, let's set up the scope for your google identity provider. It should be under the identity provider tab in the google section that you configured.

kash

Also do you have fusionAuth running on port 9011?

it-contracts

@kash said in 3rd Party Authentication:

Also do you have fusionAuth running on port 9011?

Sorry, forgot to mention. We purchased the Cloud package. We are in the clouds. So nothing local.

it-contracts

@kash said in 3rd Party Authentication:
> Alrighty let's try this. We'll maybe add a few more calls but we'll get it working

I love your optimism. I'm onboard.

> First, let's set up the scope for your google identity provider. It should be under the identity provider tab in the google section that you configured.

This is what I had the scope set to:

mark.robustelli

@it-contracts, which license did you purchase? If you selected the Essentials Plan you should have access to the Account Portal and may receive support directly through email if this is time sensitive.

mark.robustelli

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

it-contracts

@mark-robustelli said in 3rd Party Authentication:

@it-contracts, which license did you purchase? If you selected the Essentials Plan you should have access to the Account Portal and may receive support directly through email if this is time sensitive.

In the Dashboard it says: Current plan Starter
Seems like we are paying $350 per month

This is what it says in the Support tab:
*As a valued customer of FusionAuth Cloud hosting, you can open support tickets for the following items:

Outages
Network issues
Assistance with upgrades
If you need other support including engineering support, you will need to purchase a paid Plan that includes support.*

Am I the first person to attempt this? I find that a bit surprisisng.

it-contracts

@mark-robustelli said in 3rd Party Authentication:

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

I did not make any settings in JWT, so there is nothig there.

In the OAUTH section here's what I have:

1. Client Id - Id generated by fusionAuth.
2. Client secret - Secret generated by FusionAuth.
3. Client Authentication - Set to Required
4. PKCE - Set to Not Required.
5. Generate refresh tokens - Checked
6. Debug enabled - Checked (No idea if this does anything in the Cloud configuration).
7. URL validation - Set to Exact Match
8. Authorized redirect URLs -http://localhost:8080/MyAppName/FusionAuthLogin
9. Authorized request origin URLs - Not Set
10. Logout URL - http://localhost:8080/MyAppName/FusionAuthLogout
11. Logout behavior - Set To All applications
12. Enabled grants - Checked "Authorization Code" and "Refresh Token"
13. Require Registration - Checked

That's it.
Thank you Mark
Rudy