FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Identity Provider with no email?

    Scheduled Pinned Locked Moved
    Q&A
    10
    30
    66.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      What is the lambda seeing? Can you have the entire JSON object printed to the log and share that?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • M
        mattiapicariello
        last edited by

        Important
        Apple only returns the user object the first time the user authorizes the app. Persist this information from your app; subsequent authorization requests won’t contain the user object.
        (https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple)

        So you should go to Settings->ID Apple ->Password&Security and remove the app from apps that use your Apple ID

        Now you can register again and apple will send the userInfo.

        1 Reply Last reply Reply Quote 2
        • J
          joseantonio @robotdan
          last edited by

          @robotdan Is the workaround for no email Identity Providers available in SAML as well?

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            @joseantonio Nope, only for OIDC. Feel free to file an issue explaining your use case or open a support ticket if you have a support plan.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • danD
              dan
              last edited by

              @joseantonio

              I was incorrect. I've learned that you should be able to do this with a SAML Lambda. Here's the documentation for the SAML lambda you should customize: https://fusionauth.io/docs/v1/tech/lambdas/samlv2-response-populate/ Sorry about that.

              Please let us know how this goes.

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              J 1 Reply Last reply Reply Quote 0
              • P
                peterwilson9117 Banned
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • J
                  joseantonio @dan
                  last edited by joseantonio

                  @dan Thank you for the help. Indeed it is not possible to assign a generated email in SAML reconcile lambdas. However, I found a solution for my problem.

                  Using SAML reconcile lambda, I create a new metadata field for the registration called "generated_email". Then, I assign it to the JWT response for the specific application using a JWT populate lambda. Example:
                  Edit: adding code for SAML reconcile lambda as well.

                  SAML reconcile:

                  function reconcile(user, registration, samlResponse) {
var userid=samlResponse.assertion.subject.nameID.id;
//registration.email = userid + '@subdomain.mydomain.com'; This can't be done yet
registration.data.generated_email=userid + '@subdomain.mydomain.com';
}

                  JWT populate:

                  function populate(jwt, user, registration) {
if(registration.data&&registration.data.generated_email){
    var new_email= registration.data.generated_email;
    jwt.email= new_email;
  }else{
    console.debug('No generated email set');
  }
}

                  (after checking that it exists for the registration).

                  New problem: I need to make an API call inside the SAML reconcile. Is this possible?

                  danD 1 Reply Last reply Reply Quote 0
                  • danD
                    dan @joseantonio
                    last edited by

                    @joseantonio said in Identity Provider with no email?:

                    I need to make an API call inside the SAML reconcile. Is this possible?

                    Nope, this is currently not possible, unfortunately.

                    Upgrading lambda functionality to support network requests is an open issue. Please vote it up if it is important to you.

                    If this is very important to you, you can engage our professional services.

                    More on the FusionAuth roadmap.

                    --
                    FusionAuth - Auth for devs, built by devs.
                    https://fusionauth.io

                    1 Reply Last reply Reply Quote 0
                    • robotdanR
                      robotdan
                      last edited by

                      In the next release we plan to add additional options for IdPs for account linking. In this up-coming release you should be able to do things such as:

                      • Use an IdP that only uses usernames (at your own risk)
                      • Modify or build an email address using a Lambda for any IdP (at your own risk)
                      • Modify or build a username using a Lambda for any IdP (at your own risk)
                      • Use an IdP that does not have a username or email address
                      1 Reply Last reply Reply Quote 0
                      • T
                        trevorr
                        last edited by

                        It looks like setting the email address in a lambda works for Facebook now (as of at least 1.41.2):

                          if (!facebookUser.email) {
    user.email = facebookUser.id + '@no-email.facebook.com';
  }

                        1/10/2023 10:10:33 PM Z Linking strategy [LinkByEmail]
1/10/2023 10:10:33 PM Z Resolved email to []
1/10/2023 10:10:33 PM Z Resolved username to [null]
1/10/2023 10:10:33 PM Z Resolved unique Id to [115587478085870]
1/10/2023 10:10:33 PM Z Identity provider returned a unique Id [115587478085870].
1/10/2023 10:10:33 PM Z A link has not yet been established for this external user.
1/10/2023 10:10:33 PM Z The user with the email address [] does not exist.
1/10/2023 10:10:33 PM Z Invoke configured lambda with Id [787cd34e-1618-4cd9-8156-936734cfe368]
1/10/2023 10:10:33 PM Z The lambda set or modified the initially resolved email. Email is now [115587478085870@no-email.facebook.com]
1/10/2023 10:10:33 PM Z Creating user: 
1/10/2023 10:10:33 PM Z User is not registered for application with Id [e0da3f10-7efa-4a6b-95f8-fbf4894884b5]
1/10/2023 10:10:33 PM Z User has successfully been reconciled and logged into FusionAuth.
1/10/2023 10:10:33 PM Z Authentication type: FACEBOOK
1/10/2023 10:10:33 PM Z Authentication state: Authenticated
                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post