Using reconsile api to get access token

adil · 19 Nov 2021, 09:07

Hi,
i am using /api/jwt/reconcile api to get access token, it is working fine with google idp, but when i try to use it with linkedin i am getting following error:

{
    "fieldErrors": {
        "data.code": [
            {
                "code": "[missing]data.code",
                "message": "Required"
            }
        ],
        "data.redirect_uri": [
            {
                "code": "[missing]data.redirect_uri",
                "message": "Required"
            }
        ]
    }
}

and here is my request body:

{
  "applicationId": "1406e0a4-8a15-4181-a0d6-56d8ab14f144",
  "data": {
    "token": "AQXC8dwBpr5MgJ6QFLvoGgv_..."
  },
  "identityProviderId": "6177c09d-3f0e-4d53-966564-3600b1b23f46"
}

As per the documentation of api i only have to pass token, not sure why its asking for code and redirect_uri, code as already been exchanged to get access token

Any help would be appreciated.

dan · 21 Nov 2021, 03:45

@adil Can you share what your request looks like for the google call that works, please?

adil · 21 Nov 2021, 20:20

@dan ,than you for your reply , here is the request for google

curl --location --request POST 'https://example.com/api/jwt/reconcile' \
--header 'Authorization: API_KEY' \
--header 'Content-Type: application/json' \
--header 'Cookie: fusionauth.locale=en' \
--data-raw '{
  "applicationId": "3453f0a4-8a15-4181-a0d6-88d2ab14566",
  "data": {
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im9aMG..."
  },
  "identityProviderId": "32339786-3dff-42a6-aac6-1f1fffffffff"
}'

where token is the id_token we receive from google.

adil · 21 Nov 2021, 21:31

@dan ,same think is happening with apple idp as well, this is what i am getting for apple idp.

{
    "fieldErrors": {
        "data.code": [
            {
                "code": "[missing]data.code",
                "message": "Required"
            }
        ],
        "data.id_token": [
            {
                "code": "[missing]data.id_token",
                "message": "Required"
            }
        ],
        "data.redirect_uri": [
            {
                "code": "[missing]data.redirect_uri",
                "message": "Required"
            }
        ]
    }
}

It looks like its asking for required fields which are required for following api
https://fusionauth.io/docs/v1/tech/apis/identity-providers/apple/#complete-the-apple-login, and i think same thing is happening for linkedin as well, but this one and reconcile api are two different api's.

dan · 22 Nov 2021, 01:54

@adil I'm going to look into this further, but it is possible that the JWT reconcile operation isn't compatible with those other IdPs (in which case the documentation is incorrect). Will let you know what I find in the next few days.

As a workaround, would suggest using the 'complete login' API call as documented in each of those providers individual docs:

https://fusionauth.io/docs/v1/tech/apis/identity-providers/apple/#complete-the-apple-login

https://fusionauth.io/docs/v1/tech/apis/identity-providers/linkedin/#complete-the-linkedin-login

dan · 22 Nov 2021, 22:59

Seems like a bug, filed an issue: https://github.com/FusionAuth/fusionauth-issues/issues/1503