I am trying to allow users log in with multiple social media identity providers but have them linked to one email using Keycloak 8.0.1. Logging in for each one IDP works.
When I try to first login with google this works. When I then log in with facebook, I am getting
KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException. Futher in the log I see a IDENTITY_PROVIDER_FIRST_LOGIN_ERROR. The message is I am just using the default authentication flows - First Broker login as First Login Flow and empty as Post Login Flow.
I assume the Authentication flow needs to be adjusted somehow?
Any ideas are much appreciated.
Related
I am looking at using the new Spring Authorization Server. I have got the samples working and seen how the test users are validated but have a question about where the user registration function should be added.
Should this be added to the authorization server or another separate service (e.g. userprofile)? If it's the latter, I assume I would have to connect the auth server to the user database.
Ideally, I would like users to click a login button, they are taken to the login page on the auth server. If they don't have an account, they create one and then they are taken back to the app with a token.
I was looking at the openid connect initiating user registration spec but don't think it has been implemented.
I attempted to ask this question before, but after some research, I have distilled down and reworded the question a bit better.
Two things about our set up:
We have a Connected App for pulling data from the chatter_api.
We have an Auth Provider (OIDC) in Salesforce.
During our app's oauth authorize flow, if the user is not logged into Salesforce, a login screen is presented. That's expected behavior, of course, but we want to be seamless and skip the login if possible.
In our scenario, most of the time, the Salesforce user session will not yet exist. But the user WILL be logged in at our Auth Provider. Login screen even shows "Or log in using: <our Auth Provider>". My question is, can we somehow configure our authorization flow to automatically attempt SSO and skip the login screen (assuming successful SSO)? Any other ideas?
Try to do it in another area,not in connected app. Setup->My Domain, scroll down to login options and leave only the SSO checkbook.
From now on navigating your branded login page (mycompany.my.salesforce.com) should auto redirect you to your Auth provider (and if you have valid session - back to sf). You'll still be able to use sf username & password on generic login page (unless you blocked it in My Domain) and by "hacking" your way to the mycompany.my.salesforce.com?login url
Currently, I am working on linking my Alexa skill with my website. I'm stuck. I've followed YouTube tutorials and looked at the documentation. I basically want users to click on the account linking button, be taken to a login page and then have that authorize the users with their own private data. Do I need to create a oauth server? Is there anybody I can talk to who has already done something like this? I created a html page to log users in using an api call but I haven't gotten any further. Any help is appreciated.
There are two questions that you asked here. Addressing them consecutively:
Do you need to an OAuth server for account linking? --> Yes. You either create your own authorization server which uses OAuth2.0 or you can rent it from providers. There are various OAuth server providers like auth0, okta etc.
If you have created an html page for login, then it needs to connect with your auth server in the backend and you need an API to do that as well as connect with the LWA server to complete account linking with Alexa.
The auth server will basically generate an auth code upon authenticating the user and subsequently it will generate an access token. Both these URLs must be mentioned in the Amazon Alexa developer console.
Then you need to make the calls to LWA to complete authentication with Amazon. This will generate an LWA auth code and subsequently an access token.
This LWA access token along with user auth code generated by your auth server will be used to enable the skill from your website.
Feel free to contact me if you have more queries! Good luck.
I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
I am in the process of designing an app that is supposed to let you login using either a username/password combination or facebook login. We have a custom OAuth server that uses user credentials to authenticate users. Now, the question is how to add facebook into this.
As I see it now, when the user wants to login with facebook, the client does all the work and gets the access token in the end. But how do we let our server know that this access token is a good one (and corresponds to a user in the database)? To me it seems like our OAuth server should be able to handle this as well, and I'm just missing the how.
OAuth supports different scenarios (flows). Client-does-all-the-work is so called "implicit" flow.
In your case it would be better to use authorization-code flow and extend your OAuth server. You put a "Facebook" button on your login page and instruct Facebook to redirect to a new special page on your OAuth server. Delivered authorization code then can be exchanged to the access token inside of your OAuth server and the server may issue its own session and tokens based on this.