Identity Provider with no email?

valentin.alt.raltchev99

Hello,

I have been recently introduced to FusionAuth and I need to create a sign in option through another platform(strava.com). For this job I have created an Identity Provider with OpenID Connect that works the client ID, client secret etc. FusionAuth can reach and can also fetch the data from the endpoints but the problem is that the developers have removed their Email as accessable data variable. Thus I get:

"An email address was not provided for the user. This account cannot be used to login, unable to complete this login request."

My question is such:
Can I bypass the email requirement somehow or create a static fake email that I will use for every sign in (I assume lambdas will be required)?

Thank you in advance for the support.

dan

It looks like this is not currently supported. Lambdas can't change username or email, due to security risks:

The user.email field on the user will be ignored if modified by the lambda function. This is to protect the integrity of the email claim returned by the identity provider. The user.username field on the user will be ignored if modified by the lambda function. This is to mitigate the risks of an account takeover due to a non globally unique identifier.

-- https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile

https://github.com/FusionAuth/fusionauth-issues/issues/341 seems like a relevant issue, the resolution of which would help you. Please vote it up. (Unfortunately, I can't give specific guidance as to when it'd be done; see https://fusionauth.io/community/forum/topic/172/the-fusionauth-roadmap for general roadmap guidance.)

robotdan

In the future we will be supporting an OpenID Connections that do not return an email address.

In the short term, if you are on the most recent version of FusionAuth you can make this work by fabricating an email address in your OpenID Connect Reconcile Lambda.

For example if the Userinfo response available to you in the Lambda has a user Id of 1234 you can build an email from that Id.

Example:

function(user, registration, jwt) {
  // Where the user's unique Id is the 'sub' claim. 
   user.email = jwt.sub + '@no-email-strava.com';
}

This will only work if the JWT does not come back with a claim called email.

dan

Great. I'll incorporate this workaround into our docs.

twosevenxyz

Any chance we can do this for Facebook on the latest version?

dan

Ah, you mean for the Facebook provider, not for openid connect? Did you try it and it didn't work?

twosevenxyz

I added the following lambda, but I'm quite confident that the lambda function never runs.

// Using the response from Facebook Me API, reconcile the User and User Registration.
function reconcile(user, registration, facebookUser) {
  user.firstName = facebookUser.first_name;
  user.middleName = facebookUser.middle_name;
  user.lastName = facebookUser.last_name;
  user.fullName = facebookUser.name;

  if (facebookUser.picture && !facebookUser.picture.data.is_silhouette) {
    user.imageUrl = facebookUser.picture.data.url;
  }

  if (facebookUser.birthday) {
    // Convert MM/dd/yyyy -> YYYY-MM-DD
    var parts = facebookUser.birthday.split('/');
    user.birthDate = parts[2] + '-' +  parts[0] + '-' +  parts[1];
  }

  if (!facebookUser.email) {
    user.email = facebookUser.sub + '@no-email.twoseven.xyz';
    console.info('Added missing email: \n' + JSON.stringify(facebookUser));
  }
}

Whenever I perform a login with a Facebook account that has no email registered, I see the following in the event log:

...
8/28/2020 05:05:45 AM EDT Call the [https://graph.facebook.com/oauth/access_token] endpoint.
8/28/2020 05:05:45 AM EDT Endpoint returned status code [200]
8/28/2020 05:05:45 AM EDT The identity provider was unable to reconcile the email address. An email address is required to complete this request.

robotdan

The work around described above only works for OpenID Connect based IdPs, it will not work for Facebook. If the Facebook user is not providing you their email, they will not be able to login.

twosevenxyz

From my (layman's) standpoint, that feels a bit arbitrary
Is a Facebook login different from OIDC? Is there a good reason as to why FusionAuth is preventing these users from being able to login?

robotdan

Perhaps arbitrary. It is sort of a hack to allow some specific OIDC IdPs to work.

In the case of Facebook, the reason for an email address being omitted from the response is easier to discern in FusionAuth. When you configure a Facebook IdP, you are inherently asking FusionAuth to defer authentication to Facebook.

The Facebook user can optionally decide to not share their email with FusionAuth. I am assuming this is the case since you are not getting an email back from Facebook.

In this scenario, we fail the login because the user has chosen not to share their email address.

So this is the reason why we don't allow the user to login.

The longer term solution to this is coming - where FusionAuth will take a unique Id from Google, Facebook, Twitter etc - and record their unique Id instead of just relying upon the email address. This will allow us to recognize the user uniquely apart from their email address. This will likely also allow FusionAuth to reconcile the user and possibly make the email address optional when creating the user.

bogorad

Is 'login with Apple' working right now? I get the above mentioned error with different accounts. I followed the instruction here - maybe it's a bit out of date?

I don't get asked by Apple whether I want to give my real or fake email, so FusionAuth must not be asking for it?

Apple dev doc says:

To request user information in the id_token (assuming you are requesting via the /auth/authorize REST API), you’ll need to include the scope query parameter, which supports the values—name and email. You can request one, both, or none.
Note: Use space separation and percent-encoding for multiple scopes; for example, “scope=name%20email”.

...

If you request the user’s verified email address, Sign in with Apple prompts the user for it, to share with your app. The user may choose to share their real email address or an anonymous one that uses the private email relay service. In both cases, Apple verifies that the email address works and is ready for use.

Thanks!

robotdan

I am using name email as it shows in the documentation and I can log in. You can enable debug on the Apple Identity Provider which may provide you some additional details if it is not working.

bogorad

Checked again. Here's the screenshot:

Apple authentication is done, back to FusionAuth, and still

An email address was not provided for the user. This account cannot be used to login, unable to complete this login request.

I can't really debug inside Docker - the Portainer->log only shows an irrelevant error that happened ages ago:

`
26-Sep-2020 13:55:07.670 INFO [http-nio-9011-exec-2] org.apache.tomcat.util.http.Parameters.processParameters Invalid chunk starting at byte [172] and ending at byte [173] with a value of [=] ignored

Note: further occurrences of Parameter errors will be logged at DEBUG level.

WARNING: An illegal reflective access operation has occurred

WARNING: Illegal reflective access by org.apache.ibatis.reflection.Reflector (file:/usr/local/fusionauth/fusionauth-app/web/WEB-INF/lib/mybatis-3.4.6.jar) to field java.util.UUID.serialVersionUID

WARNING: Please consider reporting this to the maintainers of org.apache.ibatis.reflection.Reflector

WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

WARNING: All illegal access operations will be denied in a future release`

dan

Hiya,

Can you please check the debug setting (below 'reconcile lambda') and run through the login sequence again? It'd be great to see if that provides more details.

bogorad

@dan here's the message:

An email address was not provided for the user. This account cannot be used to log in, unable to complete this login request.

debug is enabled, but I have no idea where to look for logs - under docker the log that is seen in e.g. Portanier is only showing some older warnings:

WARNING: Please consider reporting this to the maintainers of org.apache.ibatis.reflection.Reflector WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release

Another interesting thing: of two of my friends who tried it, one was able to log in, and Apple even asked him if he wanted to hide his real email address. The other one got the same message that I'm getting.

dan

Hiya,

Hmmm. That's not super helpful, eh? The ibatis errors shouldn't be related (see https://github.com/FusionAuth/fusionauth-issues/issues/721 for more about that particular warning).

Just to check, the screenshot you shared had debug disabled, but you definitely enabled it?

Are you seeing anything in the event log (in the admin UI) that might shed more light on the situation?

Does the email address you are using to try to login with have any special characteristics?

bogorad

I played with it more and found this:

1. Login with Apple sometimes works, sometimes doesn't. It looks like users with emails that are not known to my FusionAuth are fine. But existing emails are not.

2. When a new user is successfully registered via Google or Twitter (didn't try other providers) all there fields are returned by /oauth2/userinfo: 'given_name', 'family_name', and 'name'. And consequently the FusionAuth database has all three: 'firstName', 'lastName', and 'fullName'.

However, when a new user is onboarded via the Apple plugin, the user is missing 'name' as returned by /oauth2/userinfo, and 'FullName' is also missing from the database.

robotdan

The results of the Userinfo endpoint will reflect what is in the JWT and what additional details FusionAuth knows about the user.

So with Twitter, Facebook, Google and Apple, this will all depend upon what is returned from those providers, and then subsequently what you do with that information during login.

Each of these IdPs can be assigned a Reconcile Lambda, a default lambda is provided with FusionAuth that you can use and modify.

https://fusionauth.io/docs/v1/tech/lambdas/apple-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/facebook-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/google-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/twitter-reconcile/

In your example, are you using an Apple Reconcile Lambda, and if so, can you post your lambda function?

Apple will only return the user's first and last name on the very first authentication event. Subsequent events will not contain this information, so if you were to log a user in using the Apple provider, and then subsequently assign a reconcile Lambda that would otherwise attempt to capture this information, you will not have that User's first and last name in FusionAuth.

Similarly with Twitter, we would need to see your reconcile Lambda function body that you have assigned to this IdP configuration to understand what is being obtained from Twitter and stored in FusionAuth.

Hope that helps!

fusionauth_user

Can we just skip the login part and just return the userInfo ?

bogorad

@robotdan said in Identity Provider with no email?:

Each of these IdPs can be assigned a Reconcile Lambda, a default lambda is provided with FusionAuth that you can use and modify.

I'm using the default lambda. And it does NOT return "name/fullname" as I mentioned earlier. Google and Twitter do return "name/fullname".

Here's how Apple Identity provider is set up: