search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

Handle external login where `email` is not provided #3343

Closed gerektoolhy closed 7 years ago

gerektoolhy commented 7 years ago

Scenario

  1. use Facebook social login to try log in. Request email info. (scope: email)
  2. Facebook user unticks 'email', thus 'email' is not returned from external IDP. FYI Same happens if user has only mobile number, but not the email. This configuration is possible with Facebook.
  3. Identity server treats this as error and renders error page. IdentityServer3 code which handles this here. Excerpt below: 
    public async Task<IHttpActionResult> LoginExternalCallback(string error = null)
{         
        ....
        if (error.IsPresent())
        {
            ....
            return RenderErrorPage(String.Format(localizationService.GetMessage(MessageIds.ExternalProviderError), error));
}

Question / Issue

  1. Is there a way to detect that user is not willing to or does not have email info? I.e. instead of showing a generic error screen, would it be possible for idsrv to step in and perhaps using partial logins to show an extra screen where a user would be asked to enter his email?
  2. Alternatively, would it be possible to redirect back to the app and then the app could take over and display a custom error message sorry, but we could not get all the data we need, or there was an error.
  3. Any other options of handling this?

Relevant parts of the log file

2016-11-01 08:34:02,780 [35] INFO  IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - Callback invoked from external identity provider
2016-11-01 08:34:02,782 [35] ERROR IdentityServer3.Core.Endpoints.AuthenticationController [(null)] - External identity provider returned error: access_denied

Related / Similar issues

Both of the issues were because Google+ API was not enabled.

  1. https://github.com/IdentityServer/IdentityServer3/issues/2167
  2. https://github.com/IdentityServer/IdentityServer3/issues/1666
smallswan399 commented 7 years ago

I currently have the same the issue here. I tried to configure my identityserver utilize facebook as an external identity provider, the configuration request "email" scope as well. however facebook does not return "email" claim. why? there is an answser here http://stackoverflow.com/questions/17532476/facebook-email-field-return-null-even-if-the-email-permission-is-set-and-acce

So, How to customize identityserver3 that allow user enter him email address if the external IdentityProviders not return email claim?

leastprivilege commented 7 years ago

Check the docs for partial logins.

gerektoolhy commented 7 years ago

Closing the issue. Will add more details when we've figured out the way to do this.