How to open identity provider directly?
-
I would use the lookup API to get an
authorization_endpoint
for the relevant identity provider. Then I'd have the button point directly to theauthorization_endpoint
rather than the FusionAuth login page.Hope this helps.
-
The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.
I think you're asking to go directly to an IdP login page without hitting the FusionAuth login page first and clicking a button to "Login with Acme Corp" for example?
Does this issue cover your use case?
https://github.com/FusionAuth/fusionauth-issues/issues/178#issuecomment-501390468The above issue would allow you to provide a hint ahead of time so we can bypass the login page for a domain scoped IdP configuration. We could also add the option to provide the Identity Provider Id as a hint on the request
?identityProviderId=42
to force a particular IdP. -
@robotdan being able to pass an idP hint would be the perfect solution indeed, it would make it able to implement a much more native flow when using devices(or sites for that matter)
(its kind of the only thing keeping us on keycloak)
-
Ah, great. Please make sure to upvote the issue and/or add a comment voicing your support. In general, here's more information about the FusionAuth roadmap: https://fusionauth.io/community/forum/topic/172/the-fusionauth-roadmap
-
i did, but meanwhile is there any way to force it, in an ugly way even, if pressing the button to the idP takes a user to that provider, there has to be a way to just generate the button's link and redirect the user right away?
-
@robotdan said in How to open identity provider directly?:
The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.
Can you try the avenue Daniel mentions? of just not using the FusionAuth login pages at all?
-
@dan i tried using the lookup api, but i have no idea what to input for
{domain}
i have tried the user email, just the user emails domain but i just keep getting 404, how does that api work?I dont understand how i can get the providers on my server by using a users email... that doesnt seem right...
digging a bit more i did find it, and had to add the domain to... itself?
anyway, that doesnt directly take the user to the idP either -
I still dont understand where the hurdle is, when the fusionauth page is shown, the buttons obvious have links, how do i generate those links myself? they dont appear magicly and they have a
data-identity-provider-id="23d1c45d-83fa-4368-a051-34a2e4cce16b"
property, what does that do?how can we use
FusionAuth.IdentityProvider.Helper.captureState({ identityProviderId: button.getDataAttribute('identityProviderId') });
For our own apps to generate the proper redirect url ?
-
when the fusionauth page is shown, the buttons obvious have links, how do i generate those links myself?
There's currently no way to programmatically generate all these links. If you are using the OIDC, External JWT or SAML identity providers, you can provide a managed domain list as configured. When a user enters their email address, you can use the lookup API to get the configured
authorization_endpoint
. This doesn't work with social logins (Google, etc). It's unclear to me which type of federated login you are using, but that's worth noting.You can, of course, reverse engineer the fusionauth templates and put your own logic in that code. I believe the identity provider id in the
data-
corresponds to theid
returned when you call the/api/identity-provider
API to retrieve all identity providers (docs here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/#retrieve-all-identity-providers). Because this is not a common, supported, documented use case, it's possible, but unlikely, the URLs might change in the future.Please feel free to upvote the github issue mentioned further up in this thread or add a new github issue outlining your desired use case.
Hope this helps.
-
@dan yeah i tried it, but then i get to a point where it keeps throwing the error of no/invalid redirect uri, even though i do have it set in the initial parameters
It's unclear to me which type of federated login you are using
I am trying to have my users log in from the react-native app i am building so i can just show them the buttons when they open the app and not have the flow be like:
user opens app > presses login with.. > gets taken to fusionAuth page and has to press login with... (a second time)
-
user opens app > presses login with.. > gets taken to fusionAuth page and has to press login with... (a second time)
That makes sense, for sure.
So when you hardcode the buttons/URLs from the fusionauth page you are getting the "no/invalid redirect uri" error? And you've configured the social login provider with the correct redirect URL?
-
nah, nvm i thought i had a lead with that but reusing that url from the button doesnt work
-
Hmmm.
Well, coming down the pike in 1.19.0 is a feature that may be of interest to you.
From the release notes:
IdP and Email hinting for the FusionAuth login pages. This feature will allow you to optionally bypass the login page and go directly to the third party IdP based upon the user’s email address or a suggested Identity Provider Id.
I don't know exactly when 1.19.0 will drop, but it'll be soon.
-
Related GitHub issue with details.
https://github.com/FusionAuth/fusionauth-issues/issues/178