fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Xbox IdP Linking on email when Xbox does not return email

Open ghost opened this issue 7 months ago • 1 comments

What happened?

Question on xbox signin, I have this setup and it is asking for the correct scopes but it is not mapping email correctly.

It appears that we are calling https://login.live.com/oauth20_token.srf first and it correctly returns

{
  "ver": "2.0",
  "iss": "https://login.live.com/",
  "sub": "AAAAAAAAAAAAAAAAAAAAAAWtIcTAtQJ_P7G1LD0tzqk",
  "aud": "02bd0c68-d591-46de-9464-01442f995412c",
  "exp": 1746296761,
  "iat": 1746210061,
  "nbf": 1746210061,
  "name": "Alex Patterson",
  "preferred_username": "[email protected]",
  "oid": "00000000-0000-0000-0011-d90227bb061",
  "email": "[email protected]",
...
}

After this call we call the xboxlive endpoint for https://user.auth.xboxlive.com/user/authenticate which returns

{
  "IssueInstant" : "2025-05-02T18:26:01.5548078Z",
  "NotAfter" : "2025-05-03T10:26:01.5548078Z",
  "Token" : "xyz"
  "DisplayClaims" : {
    "xui" : [ {
      "gtg" : "Me@202",
      "xid" : "2533274855507913",
      "uhs" : "11446281356715118283",
      "agg" : "Adult",
...
    } ]
  }
}

I want this to link to email which was in the oauth call, but it seems to only want to use my gamertag.

5/2/2025 06:26:01 PM Z Linking strategy [LinkByEmail]
5/2/2025 06:26:01 PM Z `Resolved email to [null]` -> should have `[email protected]`
5/2/2025 06:26:01 PM Z Resolved username to [Me@202]
5/2/2025 06:26:01 PM Z Resolved unique Id to [2533274855507913]
5/2/2025 06:26:01 PM Z Identity provider returned a unique Id [2533274855507913].
5/2/2025 06:26:01 PM Z A link has not yet been established for this external user.
5/2/2025 06:26:01 PM Z The user with the email address [null] does not exist.
5/2/2025 06:26:01 PM Z The identity provider was unable to reconcile the email address. An email address is required to complete this request and link by email.

So I am wondering if we should change the logic in the IDP connect??

Version

1.57.0

Affects Versions

No response

Alternatives / Workarounds

Only link on gamertag

ghost avatar May 19 '25 14:05 ghost

We could revisit the Xbox APIs to see if things have changed since we first built this IdP.

But in general we want to honor what the IdP has allowed us to view about the user. So the general rule is - the access token is opaque (even if it isn't in practice) and unless we have asked for the email address of the user which would ensure that the user has been prompted that a 3rd party is asking for it - we don't want to assume.

So we could revisit the Xbox integration to see if there is a way to ask for the user's email address and ensure the user is notified that we will be receiving it, and then know how to retrieve it - ideally not by inspect the access token.

But otherwise, the general guideline for Xbox integrations is to use the "Pending link" which allows FusionAuth to link to Xbox by having you tell us how to create your user, or to link to an existing user.

robotdan avatar Jun 09 '25 16:06 robotdan