Configure a Simple Social Login with Facebook on Your CDK Environment

Setup
, , , , , ,
#1

Introduction

ForgeRock Identity Platform supports authentication through social identity providers such as Facebook and Google, and lets users login to AM using their social provider credentials.

In this article, we configure Facebook as the social identity provider in a CDK deployment.

Note: ForgeRock does not guarantee the individual success developers may have in implementing the code on their development platforms.

References

Prerequisites

  1. You have set up the CDK and your Kubernetes context is set to your CDK cluster.
  2. You have a Facebook Developer account.

Set up a Facebook application

  1. Log in to developers.facebook.com with your Facebook credentials.
  2. Create an application with these parameters:
  3. In the Select an app type screen, select Business:

FB app 1
FB app 1505×600 39.9 KB

  1. In the Create an App screen, specify suitable values for App Display Name and App Contact Email. Select Clients as the App Purpose:

FB app 2
FB app 2595×600 43 KB

  1. In the Add Products to Your App screen, select Facebook Login:

FB app 3
FB app 31200×702 67.5 KB

  1. Select Web as the platform for this app:

image|0x0
image|0x01200×662 63.3 KB

  1. In your application page, navigate to Settings > Basic. Then, click Show in App Secret. Note the App ID and App Secret values. You will need these to configure the social identity provider in AM.

  2. In the Basic settings page, specify the application domain, such as iam.example.com, for your AM deployment in App Domains:

FB basic settings
FB basic settings923×693 54.3 KB

  1. Scroll down and add the URL for your AM deployment in the Website Site URL:

FB basic site
FB basic site1200×575 38.4 KB

  1. Go to Facebook Login > Settings and specify the URL for your AM in the Valid OAuth Redirect URIs:

FB login OAuth redirect

Configure a social identity provider in AM

  1. Log in to the AM admin UI in your environment, and navigate to Realms > your realm > Services. Check if Social Identity Provider Service appears in the list of services configured for the realm:

image|0x0
image|0x0853×736 77.5 KB

  1. If it does not appear in the list, add it: Click Add a Service, and select Social Identity Provider Service from the drop-down list. The service’s configuration page appears.
  2. Ensure that the Social Identity Provider Service is enabled:

image|0x0
image|0x0856×559 68.5 KB

  1. Go to the Secondary Configurations tab. In the Add a Secondary Configuration drop-down list, select Client configuration for Facebook:

image|0x0

  1. In the New facebookConfig configuration dialog box, enter a Name (in this example, “myfacebook”), your Facebook App ID as the Client ID, and “App Secret” as the Client Secret. Enter your AM URL as the Redirect URL, and a space character " " as the Scope Delimiter. Save your configuration:

image|0x0
image|0x0634×585 49.8 KB

  1. Notice that some of the parameters are automatically generated for you:

image|0x0
image|0x0639×631 66 KB

Configure an authentication tree

To effectively use the social login, you should create/modify an authentication tree which contains two significant nodes:

  • The Select Identity Provider node, which prompts the user to select a social identity provider to register or log in with, or (optionally), continue on with a local registration or login flow. When a provider is selected, the flow continues on to the Social Provider Handler node.
  • The Social Provider handler communicates with the selected provider, and then collects the information provided after the user has authorized the service. It then takes that information and runs a transformation script to prepare it.ForgeRock Identity Platform includes a transformation script called Normalized Profile to Managed User, which this node uses to transform the identity object gathered from the identity provider into a ForgeRock Identity Platform object.The node then queries IDM to see if the user already exists. If the user exists, they are logged in. If the user does not exist, create them.

To create a basic social authentication tree:

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Trees, and create a new tree:

image|0x0

  1. Decide whether users can log in with their AM credentials, and add the relevant nodes to the tree. Social authentication trees allowing local authentication might look like the following:

image|0x0
image|0x0804×474 103 KB

  1. Configure the Social Provider Handler Node:
  • In theTransformation Script field, configure Normalized Profile to Identity. This script will transform the normalized identity provider’s profile object into the appropriate user profile attributes of the realm’s identity store.
  • In the Client Type field, select BROWSER.

Verify you can log in to AM using Facebook

To verify that you can log in using Facebook:

  1. Access the social login tree you created in a new web browser window, for example: https://my-namespace.iam.example.com/am/?service=myfbtree. Notice that you get an option to Continue with Facebook. Click Continue with Facebook:

image|0x0
image|0x0893×678 29.5 KB

  1. Log in using your Facebook credentials:

image|0x0
image|0x01065×641 38.4 KB

  1. If a Facebook TFA dialog box appears, provide the necessary code:

image|0x0
image|0x01063×449 37.1 KB

  1. Notice that you are successfully logged in to the user’s profile page on your CDK:

image|0x0
image|0x0921×744 48.1 KB

There you have it, a simple way to configure Facebook as social identity provider in your CDK deployment.

More from this author: