https://supertokens.com/ logo
Join Discord
Powered by
Hi, I have just enabled SSO and email verification...
# support-questions-legacy
a
Hi, I have just enabled SSO and email verification. When I try and sign up with a microsoft email using SSO, it asks me to verify my email, but the email is not sent to my microsoft email. Email verification is working for the regular accounts.
When signing in with google SSO, it doesn't ask for a verification email, why is Microsoft different?
/auth/user/email/verify and /auth/user/email/verify/token both being called and returning ok. No errors on the backend either
email resent also appears to respond with success but I don't receive the email
Also now getting "email does not exist in tenant, cannot access the application in that tenant..." when using a personal outlook email. These docs: https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/sign-in-and-up/provider-config#active-directory:~:text=oidc_discovery_endpoint%3D%22https%3A//login.microsoftonline.com/%3CdirectoryId%3E/v2.0%22 Seem contradictory to the microsoft logs: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist#:~:text=identity%20platform.-,Cause%203%3A%20Used%20the%20wrong%20endpoint%20(personal%20and%20organization%20accounts),sign%20in%20by%20using%20federation%20with%20another%20tenant%20or%20identity%20provider.,-Solution%3A%20Use%20the
r
That’s cause google sends us info about the email being verified. Microsoft, doesn’t seem to do that. However, you can override the getUserInfo function in the provider config to always tell our SDK that the Microsoft email is also verified
About the emails not being sent, I’m not too sure what that would happen
a
are the supertokens docs meant to only allow microsoft sign ins from your own microsoft domain?
It seems if I follow the supertokens docs and use: oidc_discovery_endpoint="https://login.microsoftonline.com//v2.0" that will only allow sign ups from our directory ID
How can I override getUserInfo
r
not specifically this. However, you can override the signinup function on the backend to check the email and reject it if it's a different domain
a
I want to allow all domains
r
> How can I override getUserInfo Which SDK are you using?
a
Microsoft is sending an error back
when signing up with a random personal outlook account
r
whats the error?
Which sdk and version?
a
AADSTS50020: User account 'email@outlook.com' from identity provider 'live.com' does not exist in tenant 'Our Application Name' and cannot access the application 'tenant_id'(Application Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
r
hmm. Im not sure
a
supertokens-python = "^0.18.8"
r
How have you configured the provider? And what are you trying to do exactly?
@sattvikc can help you here on friday.
a
It looks like supertokens docs are wrong right? https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist#:~:text=identity%20platform.-,Cause%203%3A%20Used%20the%20wrong%20endpoint%20(personal%20and%20organization%20accounts),sign%20in%20by%20using%20federation%20with%20another%20tenant%20or%20identity%20provider.,-Solution%3A%20Use%20the
I shouldn't put the tenant ID in the url
r
which docs of ours are you referring to?
a
r
you do need to put the directoryId in the oidcDiscoveryEndpoint
anyway, im not sure at the moment. We will have to wait for @sattvikc
on friday
a
The MS docs say to just put https://login.microsoftonline.com/common don't they?
r
thats not for active directory. For AD, you need a directory ID
then it must be some other login
anyway, as i said, let's wait for @sattvikc .
a
Tough for me to wait until friday will have to try and figure out
r
Hmm okay. You probably don’t want to see Active Directory then. You want to see regular Microsoft login. So ignore the AD docs we have.
a
Also is there a way that I can check whether emails are being sent from supertokens? (I have changed to use our domain with AWS SMTP), seems to work for the cases I tried. But now I have a user complaining that they are not receiving a verification email
They have checked mimecast
r
Override the sendEmail function in the emailDelivery config in emailverification recipe to log in there.
a
I have overriden the service with SMTPService
using our SMTP details
r
See the section for pre / post email sending hook
Hope this helps.
a
r
Yea. See the link o sent
I*
You can do that as well to add logging. So you know if an email is sent or not
You don’t need to change the smtp stuff
a
Ok
verification emails not being sent to many of my users
r
You should add a log there and check. If it’s coming in there, but not being delivered to your users, you should contact your email provider
a
The emails were rejected due to 554 Email rejected due to security policies (e.g., MCSpamSignature.x.x)
r
right. Hmm. Maybe that's got to do with your domain's email reputation?
a
yeah looking into it. On the Active Directory side of things, are you saying I should configure a custom provider and not use the SuperTokens one listed in those docs.
r
Yes. Cause I think what you want to use is login with Microsoft. And not login with Active Directory.
a
Ok
How can I override the microsoft config to always say the email is verified (there is no email_verified in the microsoft user_info)
r
Which backend SDK are you using? Sorry, I keep forgetting
a
0.18.8
r
Which backend SDK is it?
a
v7.0
r
Node SDK? Which version of node SDK?
a
I'm using Python, supertokens-python 0.18.9
r
Ok. I’ll send you snippet tomorrow on how to do this.
a
ty
r
try something like this: Add this to the provider array in the backend sdk:
Copy code
ProviderInput(
                        config=ProviderConfig(
                            third_party_id="microsoft-login",
                            name="Microsoft Login",
                            clients=[
                                ProviderClientConfig(
                                    client_id="...",
                                    client_secret="...",
                                    scope=["email", "profile", "openid"],
                                ),
                            ],
                            authorization_endpoint="https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
                            token_endpoint="https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
                            user_info_endpoint="https://login.microsoftonline.com/oidc/userinfo",
                            user_info_map=UserInfoMap(
                                from_user_info_api=UserFields(
                                    user_id="sub",
                                    email="email",
                                    email_verified=None,
                                ),
                            ),
                        ),
                        override=get_custom_provider
                    ),
The definition of 
get_custom_provider
is:
Copy code
def get_custom_provider(provider: Provider) -> Provider:
    original = provider.get_user_info

    async def custom_get_user_info(self, oauth_tokens: Dict[str, Any], user_context: Dict[str, Any]) -> UserInfo:
        user_info = await original(oauth_tokens, user_context)
        user_info.email.is_verified = True
        return user_info
    
    provider.get_user_info = custom_get_user_info
    return provider
note that the snippets above may not be 100% correct, but it gives you an idea of how to achieve what you want
a
Thanks
182 Views
PreviousNext
Powered by