How to get Google contacts from an app using FusionAuth

fusionauth.qhj5e

Hi, I'm writing an article on getting a user's Google contacts in a web app, via FusionAuth (FA), based on these two conversations:

• https://fusionauth.io/community/forum/topic/2659/access-google-calendars-of-multiple-google-accounts-with-user-permission/2
• https://fusionauth.io/community/forum/topic/2569/how-do-i-call-a-google-api-or-retrieve-the-google-credentials

"The brief says "that button uses the identity provider login OIDC API to complete the login. That is, the dev starts the OIDC process but FA completes it and holds the token. After the user connects Google, the application then calls into FA to get the refresh token. Then it can call the Google API to get the contacts"

There are some parts I'm confused about. Please clarify the best approach if you can:

1. I assume the user logs in to the app with FA with a username like richard@example.com, but connects to Google with an email like richard@gmail.com. So the user is not logging in to FA with Google at first. If I'm wrong, please let me know.
2. What benefit does the app getting Google contacts with FA have? Why shouldn't the app call Google directly through their API, or with custom code?
3. I assume the app will log the user in to Google by calling https://fusionauth.io/docs/apis/identity-providers/openid-connect#complete-an-openid-connect-login, with a linking strategy in the OpenId provider created in settings of "Pending Link". The Response of this API is a User object. But shouldn't it return a Google token? How do we use a User object to call Google here? Also, this doesn't seem like the app "starting" the OIDC process, it seems like FA does all of it. Have I picked the wrong API call? How do we link the current FA user to their Google email?
4. As I understand Google sign in, you have to use a snippet of Google JS in your app, which shows a UI form to the user. Which you can't do if calling an API programmatically only. What am I misunderstanding here?
5. "calls into FA to get the refresh token" - Which API allows this, and what parameters should be passed in?

Thanks.

PS. I wanted to my improve my knowledge of OAuth significantly for this article, but the "form" on this page to get your ebooks is just a grey line I can't interact with - https://fusionauth.io/ebooks/modern-guide-to-oauth

---

UPDATE WHILE WAITING FOR FORUM APPROVAL:

• I added an href in my app pointing to https://accounts.google.com/o/oauth2/v2/auth?client_id=535042435541-eridnie9d09pa69dsq1hh066ushvp4e0.apps.googleusercontent.com&redirect_uri=http://localhost:9011/api/identity-provider/login&response_type=code&scope=openid%20email%20profile%20https://www.googleapis.com/auth/contacts.readonly&state=STATE&idp_hint=26481189-e3f7-433f-804b-9643a025806a. That successfully directs the user to google, gets consent for contacts, and redirects the user back to http://localhost:9011/api/identity-provider/login?state=STATE&code=4/0AVG7fiTXd3CnD-ff3ga7Zs5BXgHoUbvnPw&scope=email%20profile%20https://www.googleapis.com/auth/contacts.readonly%20openid%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&authuser=1&hd=ritza.co&prompt=consent. That doesn't seem to do anything though. I realised I'm supposed to redirect the user back to the app, then call the FusionAuth API from the server. Making progress here slowly...

fusionauth.qhj5e

Here's my current code:

<a href="https://accounts.google.com/o/oauth2/v2/auth?client_id=535042435541-eridnie9d09pa69dsq1hh066ushvp4e0.apps.googleusercontent.com&redirect_uri=http://localhost:3000/fago&response_type=code&scope=openid%20email%20profile%20https://www.googleapis.com/auth/contacts.readonly&state=STATE">

router.get("/fago", async function (req, res, next) {
  console.log("IN FAGO");
  try {
    if (req.query.state != "STATE") {
      throw new Error(
        "State anti-forgery token returned from Google does not match token sent",
      );
    }
    const params = {
      applicationId: "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e",
      identityProviderId: "26481189-e3f7-433f-804b-9643a025806a",
      data: {
        code: req.query.code,
        redirect_uri: "http://localhost:3000/fago",
      },
    };
    const url =
      "http://localhost:9011/api/identity-provider/login?idp_hint=26481189-e3f7-433f-804b-9643a025806a";
    const results = await axios.post(url, params);
    console.dir(params.data.code);
    console.dir(results.status + " " + results.statusText);
    console.dir(results.data);
    res.redirect("/account");
  } catch (error) {
    next(error);
  }
});

I'm being returned by FusionAuth status code 232 (which I can't find a meaning for anywhere), and the only field in data is pendingIdPLinkId. I don't know how to get a Google Calendar access token from this.

fusionauth.qhj5e

I've successfully linked a FA user to a Google user with the identity provider API, and the link API, but the forum post this article is based on said They'll also have a link that is accessible via the Link API. That link will contain the refresh token in the token field.

However, calling https://fusionauth.io/docs/apis/identity-providers/links#retrieve-a-link, gets the JSON below, containing NO access token for Google. Now I'm completely stuck, please advise:

    data: {
          identityProviderLink: {
            displayName: 'richard@ritza.co',
            identityProviderId: '26481189-e3f7-433f-804b-9643a025806a',
            identityProviderName: 'fago',
            identityProviderType: 'OpenIDConnect',
            identityProviderUserId: '110494278199559678180',
            insertInstant: 1729762805435,
            lastLoginInstant: 1729762805435,
            tenantId: 'd7d09513-a3f5-401c-9685-34ab6c552453',
            token: '',
            userId: '00000000-0000-0000-0000-111111111111'
          }

fusionauth.qhj5e

Oh, it's still an open bug - https://github.com/FusionAuth/fusionauth-issues/issues/2574. I'll ask there.