Ramsai
Ramsai•15mo ago

Login error while handling external logins in a Custom Login UI

Hello, I am working on adding google idp to my custom login. When I try to login with google , the userID is not displayed in the URL parameters but I can find the user ID in the response of the request end point https://$ZITADEL_DOMAIN/v2/idp_intents/$INTENT_ID. I found the user ID to be just after the raw information of the response. The user ID which I am getting as a response , is it a valid one? Can I use that user ID to call the create new session end point ? because the response is different from the documentation given. I have tried using the user ID from the response of the intent id endpoint , it is throwing a 404 error, saying that the "user cannot be found". Since the endpoint is not successfully hit, the user is not reflecting in the management UI console. I have allowed all of these in my IDP settings.
No description
No description
17 Replies
FFO
FFO•15mo ago
hm good question, maybe @peintnermax knows
Ramsai
RamsaiOP•15mo ago
Hi @peintnermax , any update on this ? 🙂
stebenz
stebenz•15mo ago
To my understanding, the userID is returned if a user is existing and linked with the user from Google in your case, and also added to the URL as a parameter.
shree_harsha
shree_harsha•15mo ago
In our case, the user ID is not added to the URL query parameter. We are not sure whether the user exists and is linked to Google, as the user doesn't exist in the dashboard. We are getting an error ("user not found" ) with the returned user ID from the intent response to create a session with this API (https://zitadel.com/docs/guides/integrate/login-ui/external-login#login).
ZITADEL Docs
Flow
stebenz
stebenz•15mo ago
Ah now I see the confusion, there are 2 userIDs contained in the response, as you see here https://zitadel.com/docs/apis/resources/user_service_v2/user-service-retrieve-identity-provider-intent#responses
ZITADEL Docs
Retrieve the information returned by the identity provider for registration or updating an existing user with new information..
stebenz
stebenz•15mo ago
The userID in the root is the userID from ZITADEL, which is not existing if no user is existing/linked, and the userID in the idpInformation is the ID of the user in the external IDP, for example Google.
stebenz
stebenz•15mo ago
stebenz
stebenz•15mo ago
There is no linked user, so the user has to be created first, otherwise the response would look something like this: 
{
    "details": {
        "sequence": "599",
        "changeDate": "2023-06-15T06:44:26.039444Z",
        "resourceOwner": "163840776835432705"
    },
        "userId": "internal",
    "idpInformation": {
                "userId": "external",
        "oauth": {
            "accessToken": "ya29...",
            "idToken": "ey..."
        },
        "idpId": "218528353504723201",
        "rawInformation": {
            "User": {
                "email": "minni@mouse.com",
                "email_verified": true,
                "family_name": "Mouse",
                "given_name": "Minnie",
                "hd": "mouse.com",
                "locale": "de",
                "name": "Minnie Mouse",
                "picture": "https://lh3.googleusercontent.com/a/AAcKTtf973Q7NH8KzKTMEZELPU9lx45WpQ9FRBuxFdPb=s96-c",
                "sub": "111392805975715856637"
            }
        }
    }
}
{
    "details": {
        "sequence": "599",
        "changeDate": "2023-06-15T06:44:26.039444Z",
        "resourceOwner": "163840776835432705"
    },
        "userId": "internal",
    "idpInformation": {
                "userId": "external",
        "oauth": {
            "accessToken": "ya29...",
            "idToken": "ey..."
        },
        "idpId": "218528353504723201",
        "rawInformation": {
            "User": {
                "email": "minni@mouse.com",
                "email_verified": true,
                "family_name": "Mouse",
                "given_name": "Minnie",
                "hd": "mouse.com",
                "locale": "de",
                "name": "Minnie Mouse",
                "picture": "https://lh3.googleusercontent.com/a/AAcKTtf973Q7NH8KzKTMEZELPU9lx45WpQ9FRBuxFdPb=s96-c",
                "sub": "111392805975715856637"
            }
        }
    }
}
Ramsai
RamsaiOP•15mo ago
But we have selected an option to create an account , if it doesn't exist. Why do we have to create the user again? We should be able to directly login without registration , if we have selected that option in Zitadel management console right? Please correct me if I am wrong
stebenz
stebenz•15mo ago
The option to create a user if none is existing reveres to the integrated login, if you use the intent then your logic should look something like this https://zitadel.com/docs/guides/integrate/login-ui/external-login#flow as also described here https://zitadel.com/docs/guides/integrate/login-ui/external-login#register 'If you didn't get a user ID in the parameters of your success page, you know that there is no existing user in ZITADEL with that provider, and you can register a new user or link it to an existing account (read the next section).'
ZITADEL Docs
Flow
shree_harsha
shree_harsha•15mo ago
Firstly, as we are not getting a user_id on the success page, we tried to register the user. When we attempted to do this, we encountered an error with the register API: "invalid AddHumanUserRequest.IdpLinks[0]: embedded message failed validation | caused by: invalid IDPLink.UserId: value length must be between 1 and 200 runes, inclusive". Since we don't have userID we are registering users with the above mentioned API. But the same API is expecting userID. Secondly, what is the purpose of the automatic user creation checkbox on the dashboard when adding an external IDP, as mentioned in the screenshot?
No description
stebenz
stebenz•15mo ago
As I tried to explain, here the userID is also again in context, which means IDPLink.UserId means the UserID in Google which you want to directly link to the newly created user. To the second question, the automatic user creation can be used in a custom login, but that's integrated in the login itself. It is included in our login and configurable through this boolean, but if you want to make it configurable in your custom login, you would need to handle it yourself.
shree_harsha
shree_harsha•15mo ago
The request body mentioned in the create user request API page vs the custom login page is completely different. We used the custom login page request, which was the issue and is now fixed. Can you please update the docs on the custom login page as it might confuse?
shree_harsha
shree_harsha•15mo ago
No description
No description
stebenz
stebenz•15mo ago
Where is this specifc call located exactly? So that I can have a look if we need to change it.
shree_harsha
shree_harsha•15mo ago
External logins with a custom login (https://zitadel.com/docs/guides/integrate/login-ui/external-login#register) need to be updated with the request body from this https://zitadel.com/docs/apis/resources/user_service_v2/user-service-add-human-user#request .
ZITADEL Docs
Flow
ZITADEL Docs
Create/import a new user with the type human. The newly created user will get a verification email if either the email address is not marked as verified and you did not request the verification to be returned.
shree_harsha
shree_harsha•15mo ago
The idpLinks fields are completely different in both places.

Did you find this page helpful?