問題描述
FusionAuth ‑ 基於邀請的用戶登錄與社交登錄 (FusionAuth ‑ Invite based user on‑boarding with social logins)
我們使用他們的電子郵件地址創建用戶。我們向每個用戶發送電子郵件,其中包含使用 changePasswordId 更改密碼 api 的鏈接。當用戶單擊鏈接時,他將被重定向到更改密碼屏幕,在那裡他可以設置密碼並訪問應用程序。這行得通。
但是,現在我們希望允許用戶在收到邀請/驗證電子郵件後使用他們的社交 Idps 進行註冊。在這部分看不到任何 fusionauth 文檔。
問題如下
- 如何讓用戶在驗證郵箱的同時選擇自己的社交Idp?
- 一個用戶可以用不同的Idp進行多次登錄嗎? FusionAuth 中的一個應用程序?
- 是否有任何鏈接 api 將所有外部用戶帳戶與其 fusionauth 用戶帳戶鏈接?
我們期望的流程是:
Invite User ‑> User clicks link ‑> User will be presented with set
password and social logins‑> User chooses google ‑> Google
authenticates user and returns token back to fusion auth ‑> fusion
auth links user's google account with already created (invited) user
account. ‑> Next time user logs in with google account ‑> Fusion auth
identifies the user and allows him to access the application.
更新: 讓我試著解釋一下我們的情況和需求,而不是關注密碼設置任務:
我們需要在自定義學校域上設置與基於谷歌的教育帳戶相關聯的新用戶。教師和學生的地址可能類似於 first.last@middle.school.com 我們需要從 Google Classroom 獲取班級名冊,通過我們的 API 在我們的後端為每個學生初始化帳戶,這也創建了 FusionAuth每個用戶和應用程序註冊。
學校通常不希望孩子們在供應商網站上設置密碼。當我們向新的學生群發送帳戶確認/驗證電子郵件時,理想情況下,他們會被引導到該域的批准和配置方法(可能是 Google、Microsoft、其他 SAML 或密碼)。如果在學生提供她的邀請電子郵件地址後我們無法選擇顯示的確認方法,那麼我們可以在同一屏幕上顯示多個確認選項,讓老師指導學生選擇正確的選擇。
但總而言之,我們需要避免在學校要求時要求設置密碼並支持受邀社交帳戶的確認。
其他 SAML 或密碼)。如果在學生提供她的邀請電子郵件地址後我們無法選擇顯示的確認方法,那麼我們可以在同一屏幕上顯示多個確認選項,讓老師指導學生選擇正確的選擇。但總而言之,我們需要避免在學校要求時要求設置密碼並支持受邀社交帳戶的確認。
其他 SAML 或密碼)。如果在學生提供她的邀請電子郵件地址後我們無法選擇顯示的確認方法,那麼我們可以在同一屏幕上顯示多個確認選項,讓老師指導學生選擇正確的選擇。但總而言之,我們需要避免在學校要求時要求設置密碼並支持受邀社交帳戶的確認。
但總而言之,我們需要避免在學校要求時要求設置密碼並支持受邀社交帳戶的確認。 但總而言之,我們需要避免在學校要求時要求設置密碼並支持受邀社交帳戶的確認。參考解法
方法 1:
If I understand your use case correctly, what you want is to add the "Login with Google buttons" to the Setup Password workflow. This is different than the Email Verification workflow, so if you are looking for a way to log users in with their social profiles during Email Verification, that's something completely different. In fact, I don't think that is a use case because after the user verifies their email, they need to log in again and they can do that using their social profile.
Unfortunately, FusionAuth doesn't fully support the ability to allow someone to use the Setup Password workflow using a social login. It might be possible though using the Email Templates and Theme editor in FusionAuth. I haven't tested this, but you could try it and see if it works.
What you would do is to pass in a URL parameter to show the social login buttons during the Setup Password workflow. This would be something you could do in the email template for Setup Password like this:
Click this link to setup your password:
<a href="https://example.com/password/change/${changePasswordId}?showSocial=true">
Setup Password
</a>
Then, using the Theme editor in FusionAuth, you would add some code in to show the buttons like this (the ?? part is to handle when the parameter is missing):
[#if showSocial?? && showSocial]
show social buttons here
[/#if]
You could give that a try and see if it works for your use case. If it doesn't work, you can always open a feature request for this on our GitHub issue tracker and we can see if it receives enough upvotes to get on the roadmap. You can also engage FusionAuth professional services to build this feature for you as well.
For your other questions, you can have as many logins with external IdPs as you want for a single user. The user is unique by their email address.
I'm not sure what you mean by "linking api", but if a user logs in with an external IdP, their tokens from those external providers are stored on the user object. You can look up those values and then call third‑party APIs with their access_tokens.
UPDATE 8/27/2019
Ah yes. The social login buttons do require all of the OAuth parameters, so this solution won't work because those parameters aren't part of the Setup Password workflow.
I guess I'm confused on how this actually works and whether or not this is a workflow FusionAuth should be handling. Social logins aren't generally used for account verification. They are normally used for account creation. For example, you could just send the student to FusionAuth before their account is created, they login with their Google classroom account, and then they have a FusionAuth account. Is there any reason the student can just login in after their account is created? Is that not essentially the same thing?
Could you do something where students that have accounts in Google Classroom are created in FusionAuth with a randomly generated 32 character password (for security) since they will be logging in with Google regardless. You can then just send them an email with a standard login link.
For students that login in with a username and password to FusionAuth directly, send them a Setup Password email. This will let them pick their own password.
In terms of account Linking, FusionAuth links accounts automatically based on email address (the unique login identifier actually). Therefore, you don't need to call any extra API to associate the social login with a user.
I might still not be clearly understanding the use case, so feel free to contact us directly using the form on our website. We might need to setup a web conference to discuss your needs in detail.