RE: Complete idp login doesn't return refreshToken

Thanks again for your answer @dan ,

Are you passing a scope parameter to FusionAuth?

Not I'm not passing any scope, because the endpoint I'm using doesn't accept one: https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login

Are you saying that I must first have a flow through the oauth2/authorize endpoint?

From what I understand from the doc of the complete-the-google-login it isn't necessary, I should be able to use that endpoint to create a user

For example, if you built your own login page, you could add a Login with Google button and complete the Google authentication. When you complete the Google authentication you will have been returned an id token from Google. Using this API you can pass that id token returned from Google to FusionAuth and we will complete the login workflow and reconcile the user to FusionAuth.
The user does not need to exist yet in FusionAuth to utilize this API.

So If my user doesn't exist yet in fusionauth, I can't have provided a scope before hand.

I'm starting to think I may misunderstand what this complete login endpoint objective is.
I'm building my own login page, and letting users auth themselves through google and then I silently register them to my fusionauth instance. User never hears about fusionauth. Does that scenario fits what /api/identity-provider/login offers ?

Hi @dan ,
Thanks for looking into it. I think there is a misunderstanding, I'm not looking to obtain a refresh token from google but one issued by FusionAuth.

I don't need google's refresh token for this use case, I let FA retrieve the info it needs once and that's it, I don't need to have further access to google's resources.

then, as an application resource server, I just check the tokens provided by FA, without even knowing if the user registered with an idp or not.

I'm looking for the refresh token issued by FA, that I can later exchange for a new AccessToken (still issued by Fa, not Google)

this refreshtoken : https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#response-body-4

@dan could you have a quick run at this? I'm always reluctant to file a bug until I've cleared the possible obvious reasons

Hi,

I completing a login after a google login from our own login page with this endpoint (https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login). I don't understand why I don't receive a refreshToken.
The only condition mentionned in the doc is the presence of the applicationId which we did provided, it's event present in the returning payload:

from the doc:

Because a refresh token is per user and per application, this value will only be returned when an applicationId was provided on the login request.

Return payload received from FA:

{
  "user" : {
    "id" : "userId"
    "active" : true,
    "firstName" : "Stefan",
    "registrations" : [
      {
        "lastLoginInstant" : 1595002474203,
        "applicationId" : "1e85ab7d-7e27-4729-b61f-fdb9f9ce6d6e",
        "tokens" : {
          "Google" : "googles token"
        },
        "insertInstant" : 1595002474186,
        "id" : "82f88268-dffb-4a81-8323-ec28fde87754",
        "verified" : true,
        "usernameStatus" : "ACTIVE"
      }
    ],
    "tenantId" : "db507f75-2f84-2e46-5f8c-bc9913a3880b",
    "usernameStatus" : "ACTIVE",
    "verified" : true,
    "twoFactorDelivery" : "None",
    "imageUrl" : "https:\/\/lh5.googleusercontent.com\/-82xeGvvebOk\/AAAAAAAAAAI\/AAAAAAAAAAA\/AMZuucka1J5muJev4xFKfUtD84QfCWPM-w\/s96-c\/photo.jpg",
    "insertInstant" : 1595002474143,
    "twoFactorEnabled" : false,
    "passwordLastUpdateInstant" : 1595002474175,
    "fullName" : "Stefan and his lastname",
    "lastName" : "last name",
    "email" : "stefanemail@gmail.com",
    "lastLoginInstant" : 1595002474203,
    "passwordChangeRequired" : false
  },
  "token" : "valid jwt token"
}

Is there some other condition needed to get the refreshToken ?

---

Some information:

instance: https://swift-tech.fusionauth.io/ running 1.17.4

Here's the config of the application in case it helps:

Screen Shot 2020-07-17 at 19.48.45

Have you tried webhooks?

Nope, webhooks completely slipped my mind, that's actually even better or my use case

Thanks for the detailed answer!

Hi,

I'm integrating analytics and in my OAuth callback and I want to track the user login event.

I do need to know in detail if it's a login in or a signup event. By login I mean "has the user already logged in in any application before now". That applies for password signin/signup as well as IDP automatic registration

I see nothing in the accessToken that would give me that information.
The current solution I envision is

• call FA and retrieve the full user
• Loop on all user.registrations to extract the minimum insertInstant value
• check if that insertInstant is less than X second (let's say 15) before current time

Is there a better (faster ? more reliable ? ) way to get that information?

Thanks!

I'd like to link directly the signup page from app, instead of linking the login page then from there go the Register page (form).

Is it possible to have my configured social providers in the signup page ?
I've try playing around with the templates in Themes > Register by copy-pasting code from Themes > Autotorize that seem relevant but I keep getting errors.

I've copied the helpers.head from /authorize who crashes calling @helpers.alternativeLoginsScript

[#ftl/]
[#-- @ftlvariable name="application" type="io.fusionauth.domain.Application" --]
[#-- @ftlvariable name="collectBirthDate" type="boolean" --]
[#-- @ftlvariable name="hideBirthDate" type="boolean" --]
[#-- @ftlvariable name="passwordValidationRules" type="io.fusionauth.domain.PasswordValidationRules" --]
[#-- @ftlvariable name="parentEmailRequired" type="boolean" --]

[#-- @ftlvariable name="client_id" type="java.lang.String" --]
[#-- @ftlvariable name="identityProviders" type="java.util.Map<java.lang.String, java.util.List<io.fusionauth.domain.provider.BaseIdentityProvider<?>>>" --]

[#import "../_helpers.ftl" as helpers/]

[@helpers.html]
[#-- Copied the header from /authorize --]
  [@helpers.head]
    <script src="/js/jstz-min-1.0.6.js"></script>
    <script src="/js/oauth2/Authorize.js?version=${version}"></script>
    [@helpers.alternativeLoginsScript clientId=client_id identityProviders=identityProviders/]
    <script>
      Prime.Document.onReady(function() {
        [#-- This object handles guessing the timezone and filling in the device id of the user --]
        new FusionAuth.OAuth2.Authorize();
        [#--
         To use an in-progress indicator when waiting for an external identity provider such as Google.
           - The panel class will make the default FusionAuth login panel show "in progress". Modify
             this selector if your HTML has been modified, or use your own in progress indicator.
        --]
        var panel = Prime.Document.queryFirst('.panel');
        if (panel !== null) {
          FusionAuth = FusionAuth || {};
          FusionAuth.IdentityProvider = FusionAuth.IdentityProvider || {};
          FusionAuth.IdentityProvider.InProgress = new Prime.Widgets.InProgress(panel);
        }
      });
    </script>
  [/@helpers.head]

and get the following runtime error (printed on the browser):

FreeMarker template error (DEBUG mode; use RETHROW in production!):
When calling macro "alternativeLoginsScript", required parameter "identityProviders" (parameter #2) was specified, but had null/missing value.

----
Tip: If the parameter value expression on the caller side is known to be legally null/missing, you may want to specify a default value for it with the "!" operator, like paramValue!defaultValue.
----

----
FTL stack trace ("~" means nesting-related):
	- Failed at: #macro alternativeLoginsScript client...  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/_helpers.ftl" in macro "alternativeLoginsScript" at line 156, column 1]
	- Reached through: @helpers.alternativeLoginsScript clie...  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/oauth2/register.ftl" at line 18, column 5]
	~ Reached through: #nested  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/_helpers.ftl" in macro "head" at line 110, column 3]
	~ Reached through: @helpers.head  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/oauth2/register.ftl" at line 15, column 3]
	~ Reached through: #nested  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/_helpers.ftl" in macro "html" at line 26, column 3]
	~ Reached through: @helpers.html  [in template "##7f0a976d-2ba4-4d3e-8e93-095477c267fe##/WEB-INF/templates/oauth2/register.ftl" at line 13, column 1]
----

Java stack trace (for programmers):
----
freemarker.core._MiscTemplateException: [... Exception message was already printed; see it above ...]
	at freemarker.core.Macro$Context.sanityCheck(Macro.java:221)
	at freemarker.core.Environment.invoke(Environment.java:774)
	at freemarker.core.UnifiedCall.accept(UnifiedCall.java:83)
	at freemarker.core.Environment.visit(Environment.java:366)
	at freemarker.core.Environment.invokeNestedContent(Environment.java:618)
	at freemarker.core.BodyInstruction.accept(BodyInstruction.java:60)
	at freemarker.core.Environment.visit(Environment.java:366)
	at freemarker.core.Environment.invoke(Environment.java:775)
	at freemarker.core.UnifiedCall.accept(UnifiedCall.java:83)
	at freemarker.core.Environment.visit(Environment.java:366)
	at freemarker.core.Environment.invokeNestedContent(Environment.java:618)
	at freemarker.core.BodyInstruction.accept(BodyInstruction.java:60)
	at freemarker.core.Environment.visit(Environment.java:366)
	at freemarker.core.Environment.invoke(Environment.java:775)
....

What did I miss ?

Thanks !

(I'm running fusionauth 1.16.1.)