How to open identity provider directly?

cepahap854

How do i let a user go towards the identity provider directly when they press the relevant button on my app, instead of going to the login page of my server?

dan

I would use the lookup API to get an authorization_endpoint for the relevant identity provider. Then I'd have the button point directly to the authorization_endpoint rather than the FusionAuth login page.

Hope this helps.

robotdan

The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.

I think you're asking to go directly to an IdP login page without hitting the FusionAuth login page first and clicking a button to "Login with Acme Corp" for example?

Does this issue cover your use case?
https://github.com/FusionAuth/fusionauth-issues/issues/178#issuecomment-501390468

The above issue would allow you to provide a hint ahead of time so we can bypass the login page for a domain scoped IdP configuration. We could also add the option to provide the Identity Provider Id as a hint on the request ?identityProviderId=42 to force a particular IdP.

cepahap854

@robotdan being able to pass an idP hint would be the perfect solution indeed, it would make it able to implement a much more native flow when using devices(or sites for that matter)

(its kind of the only thing keeping us on keycloak)

dan

Ah, great. Please make sure to upvote the issue and/or add a comment voicing your support. In general, here's more information about the FusionAuth roadmap: https://fusionauth.io/community/forum/topic/172/the-fusionauth-roadmap

cepahap854

i did, but meanwhile is there any way to force it, in an ugly way even, if pressing the button to the idP takes a user to that provider, there has to be a way to just generate the button's link and redirect the user right away?

dan

@robotdan said in How to open identity provider directly?:

The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.

Can you try the avenue Daniel mentions? of just not using the FusionAuth login pages at all?

fusionauth_user

@dan i tried using the lookup api, but i have no idea what to input for {domain} i have tried the user email, just the user emails domain but i just keep getting 404, how does that api work?

I dont understand how i can get the providers on my server by using a users email... that doesnt seem right...

digging a bit more i did find it, and had to add the domain to... itself?
anyway, that doesnt directly take the user to the idP either

fusionauth_user

I still dont understand where the hurdle is, when the fusionauth page is shown, the buttons obvious have links, how do i generate those links myself? they dont appear magicly and they have a data-identity-provider-id="23d1c45d-83fa-4368-a051-34a2e4cce16b" property, what does that do?

how can we use

FusionAuth.IdentityProvider.Helper.captureState({
      identityProviderId:  button.getDataAttribute('identityProviderId')
    });

For our own apps to generate the proper redirect url ?

dan

when the fusionauth page is shown, the buttons obvious have links, how do i generate those links myself?

There's currently no way to programmatically generate all these links. If you are using the OIDC, External JWT or SAML identity providers, you can provide a managed domain list as configured. When a user enters their email address, you can use the lookup API to get the configured authorization_endpoint. This doesn't work with social logins (Google, etc). It's unclear to me which type of federated login you are using, but that's worth noting.

You can, of course, reverse engineer the fusionauth templates and put your own logic in that code. I believe the identity provider id in the data- corresponds to the id returned when you call the /api/identity-provider API to retrieve all identity providers (docs here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/#retrieve-all-identity-providers). Because this is not a common, supported, documented use case, it's possible, but unlikely, the URLs might change in the future.

Please feel free to upvote the github issue mentioned further up in this thread or add a new github issue outlining your desired use case.

Hope this helps.

fusionauth_user

@dan yeah i tried it, but then i get to a point where it keeps throwing the error of no/invalid redirect uri, even though i do have it set in the initial parameters

It's unclear to me which type of federated login you are using

I am trying to have my users log in from the react-native app i am building so i can just show them the buttons when they open the app and not have the flow be like:

user opens app > presses login with.. > gets taken to fusionAuth page and has to press login with... (a second time)

dan

user opens app > presses login with.. > gets taken to fusionAuth page and has to press login with... (a second time)

That makes sense, for sure.

So when you hardcode the buttons/URLs from the fusionauth page you are getting the "no/invalid redirect uri" error? And you've configured the social login provider with the correct redirect URL?

fusionauth_user

nah, nvm i thought i had a lead with that but reusing that url from the button doesnt work

dan

Hmmm.

Well, coming down the pike in 1.19.0 is a feature that may be of interest to you.

From the release notes:

IdP and Email hinting for the FusionAuth login pages. This feature will allow you to optionally bypass the login page and go directly to the third party IdP based upon the user’s email address or a suggested Identity Provider Id.

I don't know exactly when 1.19.0 will drop, but it'll be soon.

robotdan

Related GitHub issue with details.
https://github.com/FusionAuth/fusionauth-issues/issues/178