OAuth new user's password

I have this scenario:

  • We have an external Identity authentication method working.
  • A user is created using $core_v2_authentication.CreateLoginAndRedirect method, with the overload #2, which creates a new user from an OAuth data token
  • On the options parameter, you can include different things like Email, DisplayName, etc.
  • None of them includes a Password option, but the user is created successfully and can login with a token to the site with no problems.

Now, we are updating the Identity provider which is going to send us a different identity ID, in order to update the identity ID, we have the right Username  that matches the Email ; but, there is one last step when we want to link the account. We're gonna be using the $core_v2_authentication.LinkLoginAndRedirect method, which requires $oAuthDataToken, $userName, $password, rememberUser, $redirectUrl as parameters. We have all of them, except for the $password. As I mentioned above, users created with an OAuth data token never used/have one. What should we do?

We are using Telligent


  • There is not a way to update the external ID of a user linked through OAuth authentication. You can add a new link to an existing account, but only if that local account is authenticated via a password (as you noted). An account that was created using an OAuth link can request a local password (within Community) and then link to a new OAuth-based authentication provider, but that's going to be quite awkward to do for all users.

    When using an external authentication mechanism as the primary/only authentication mechanism, you should use IExternalAuthenticationPlugin ( https://community.telligent.com/community/10/w/api-documentation/59873/iexternalauthenticationplugin-v2-plugin-type ) -- this allows the external authentication provider to handle all authentication details directly.

    You could move to an IExternalAuthenticationPlugin now to support the external ID change. There is a training article about implementing such a plugin: https://community.telligent.com/community/10/w/developer-training/53136/single-sign-on-plugins

  • Hi Ben,

    Thanks so much for your reply. I'm trying now the solution you suggested and I will like to understand which values should I set to ReturnUrlParameter. I guess I'm not understanding what we should return once we are coming back from the External ID

  • ReturnUrlParameter is the query string parameter name that Community will assign the URL that the user should be returned to after authenticating. For example, if ReturnUrlParameter is set to "gobackto", then when Community directs users to the external authenticator, it will include gobackto=https://mycommunity.com/etc so that the external authenticator can return the user back to the community where they were after they authenticate (or cancel).

  • Sorry to bother with this but I have an implementation (working one) of the IOAuthClient plugin. I am now trying to replace with the one you suggested, IExternalAuthenticationPlugin and  I'm seeing that the method GetAuthenticatedUserId keeps calling again and again and again. The first time, I can get all of the information coming from the accessing user and if already exists, I can retrieve Telligent's UserID to return. But since its calling again many times, the second time it gets invalidated of course and I'm stuck. Why this should be happening?

  • As an IExternalAuthenticationPlugin, the plugin is responsible for identifying the user on every request, not just when authenticating. It is up to the plugin to persist the authenticated user through future requests. It could use a cookie, for example, or other details on the HTTP request to identify on secondary requests.

  • Hi Ben, it's me again. About this ReturnUrlParameter, let me clarify a little bit what are we using at the External Authenticator so you have a better picture and perhaps give me a suggestion:

    • The external authenticator uses an Authorization Code grant type which is used to exchange an authorization code for an access token.
    • Based on the above, we need to set a redirect_uri with a whitelisted URI where the external authenticator is going to return once the client is authenticated with the Auth0 Code.
    • After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

    So in other words, the external authenticator is not going to return or redirect users  where they were, once authenticated, that should be handle it by us, in the platform. With the IOAuthClient, that was happening via RedirectUrl parameter in the .vm code, but now I don't think there's .vm interaction, so I'm not sure how we should manage this. 

  • IExternalAuthenticationPlugin is not related to OAuth. It defers authentication to URLs that will handle the authentication and provide authentication details to be detected on return. Generally, the URLs provided by the IExternalAuthenticationPlugin are external (not in the Community platform). Users will be taken to this external web site to provide credentials, authenticate, and be returned to Community with a cookie/token/key that can be read within Community (by the IExternalAuthenticationPlugin) to log the user in (potentially creating the user account in the process).

    The URLs provided by the IExternalAuthenticationPlugin should not be OAuth API URLs.