3rd Party Authentication

I'm putting together a system in which we will use 3rd party authentication, Like Google and Azure, and then do the Authorization ourselves. I have the code working with both Google and Azure but now my company wants to use FusionAuth to do the same.
In order to do the Authorization, I need to know who the user is, hence, I need to be able to retrieve the user info from the Authentication provider.
With Google this normally takes 3 calls.
Call 1 retrieved the "code"
Call 2 retrieves the Access Token with the code.
Call 3 retrieves the User Info with the Access Token.

From the FusionAuth documentation I'm able to see how to do the same. Meaning get the user info from Google in 3 calls. My question is, can I accomplish the retrieval of the user info from Google with a single FusionAuth call?

TIA
Rudy

@mark-robustelli Hi Mark.
Yes. I just want to know if there is a more efficient way to do this.

Thank you for your reply.

@mark-robustelli Found the following paragraph in the FusionAuth documentation:

"Complete the Google Login
This API allows you to complete a Google login after authenticating a user using the Google API. If you are using the FusionAuth login UI with the Google button you will not utilize this API directly.

This API is intended to be used if you want to build your own login page and you have added the Google login button to your own login page and you then need to complete the login with FusionAuth.

For example, if you built your own login page, you could add a "Login with Google" button and complete the Google authentication. When you complete the Google authentication you will have been returned a token or code from Google. Using this API you can pass that token or code to FusionAuth and we will complete the login workflow and reconcile the user to FusionAuth."

From the following Link: link to text

About 2/3 down the page. This seems to imply that if I use FusionAuth Login all 3 steps will be done by FusionAuth. Am I misreading this passage?

Rudy

@mark-robustelli Yes, that is actually where I started my integration. At this point I've been up and down the documentation. There is really no complete start to finish example. Just fragments that have the connections between them missing.

@mark-robustelli Thank you Mark. You are very very nice. No unfortunately I'm still stuck on both of my questions that I asked here. No progress.

@mark-robustelli Thank you Mark.

@mark-robustelli said in 3rd Party Authentication:

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

I did not make any settings in JWT, so there is nothig there.

In the OAUTH section here's what I have:

1. Client Id - Id generated by fusionAuth.
2. Client secret - Secret generated by FusionAuth.
3. Client Authentication - Set to Required
4. PKCE - Set to Not Required.
5. Generate refresh tokens - Checked
6. Debug enabled - Checked (No idea if this does anything in the Cloud configuration).
7. URL validation - Set to Exact Match
8. Authorized redirect URLs -http://localhost:8080/MyAppName/FusionAuthLogin
9. Authorized request origin URLs - Not Set
10. Logout URL - http://localhost:8080/MyAppName/FusionAuthLogout
11. Logout behavior - Set To All applications
12. Enabled grants - Checked "Authorization Code" and "Refresh Token"
13. Require Registration - Checked

That's it.
Thank you Mark
Rudy

@mark-robustelli said in 3rd Party Authentication:

@it-contracts, which license did you purchase? If you selected the Essentials Plan you should have access to the Account Portal and may receive support directly through email if this is time sensitive.

In the Dashboard it says: Current plan Starter
Seems like we are paying $350 per month

This is what it says in the Support tab:
*As a valued customer of FusionAuth Cloud hosting, you can open support tickets for the following items:

Outages
Network issues
Assistance with upgrades
If you need other support including engineering support, you will need to purchase a paid Plan that includes support.*

Am I the first person to attempt this? I find that a bit surprisisng.

@kash said in 3rd Party Authentication:
> Alrighty let's try this. We'll maybe add a few more calls but we'll get it working

I love your optimism. I'm onboard.

> First, let's set up the scope for your google identity provider. It should be under the identity provider tab in the google section that you configured.

This is what I had the scope set to:

@kash said in 3rd Party Authentication:

Also do you have fusionAuth running on port 9011?

Sorry, forgot to mention. We purchased the Cloud package. We are in the clouds. So nothing local.

@kash Thank you kash for your reply once more. I'm not sure I understand what you are asking for. But would be happy to provide whatever details you need.

Just to reiterate. I have initially completed a project that uses Google and other 3rd party authenticators directly. And it works perfectly. However, now my company wants to use FusionAuth. So I have to start from the beginning. Yay me!

The previous process as I mentioned called Google 3 times. First call was to get the code. Google called the "callback" servlet with the code which I used to obtain the Authorization Token. I then proceeded to call Google for the 3rd time with the Authorization Token to get the user info. This all works.

I thought that FusionAuth would perform all 3 steps for me. Meaning I would call it once and it would return to me the User Info. However, when I call FusionAuth, I see that my callback is called after step 1, which is where Google returns the code. And I have to call Google myself for calls 2 and 3. Which is very challenging since the callback (i.e. redirect_uri parameter must be identical between calls 1 and 2).

At the moment, my callback servlet simply calls Google to obtain the Authentication Token based on the code that was returned. Initially, I had code in my callback servlet to parse the User response that I was hoping to get back from FusionAuth. Alas, that code had to be commented out. As I'm still not sure how to call FusionAuth to get it to perform all 3 steps for me.

Meaning what URL should I be using to get FusionAuth to perform all 3 steps for me?

In my previous reply I posted the image of the URL I'm using now.

TIA
Rudy

@kash said in 3rd Party Authentication:

You're definitely right. FusionAuth can handle all 3 steps and should take less calls.

You can add a google identity provider under 'Identity Providers' using a oauth client id and secret.

Thank kash and Mark for your replies. I really appreciate them as I feel a bit lost.
kash I did add the Google identity provider using Google Client Id and Secret, however, I'm seeing someone calling my callback program/servlet after step 1. Where Google return the code. The code is what one uses to obtain the Authorization Token. And then the Authorization Token is used to retrieve the User Info.
So, it seems to me that I'm missing something. How do I invoke the flow so that FusionAuth handles all 3 calls and just returns to me the JSON with the User Info?

I initiate the flow by using the URL for my application in my browser which takes me to the FusionAuth login screen with the button that says Login with Google. Once I proceed and login my callback routine is called with the code as I mentioned above and I'm left to try to complete the flow on my own.

TIA
Rudy

@dan Thank you Dan for your response. I'm new to FusionAuth. My understanding though of the process that FusionAuth offers is the following.

1. I create an Application
2. Then I create an Identity Provider for this Application, Google in this example
3. I provide a URL from my Application to the user which if they click on they will get the Login screen with the Login with Google button.
4. They click on Login with Google and go to Google to Authenticate
5. My callback Servlet/Program is sitting and waiting to get the code from Google if the Authentication was successful. However, if I get a response from Google to my callback program with the code blank and an error message, then it would be up to me to notify the user that an error took place. No? So how do I show this error (or my own customized error message) to the user at this point? At this point they have left the Google realm and the hot potato is my hands.

Thank you in advance for your time.
If I'm not understanding how FusionAuth works I'm happy to hear RTFM with hopefully a specific link.

Rudy