Skip to content

[Bug]: CreatePendingLink Strategy Does Not Complete Link via Hosted Login Pages #3325

New issue
New issue
Open
Open
[Bug]: CreatePendingLink Strategy Does Not Complete Link via Hosted Login Pages#3325
@mooreds

Description

@mooreds
mooreds
opened on Feb 3, 2026

What happened?

When using an OIDC Identity Provider configured with CreatePendingLink linking strategy, the hosted login flow (via /oauth2/authorize with idp_hint) does not complete the identity provider link, even after the user successfully authenticates on the start-idp-link page.

Environment

  • FusionAuth Version: 1.62.1
  • Deployment: FusionAuth Cloud
  • Testing with Google (but using the OIDC Identity Provider) and a custom scope on the IDP of openid email profile https://www.googleapis.com/auth/calendar.readonly

Replication Steps

  1. Create an OIDC Identity Provider (e.g., Google) with:
    • linkingStrategy = CreatePendingLink
    • createRegistration = false
    • Enabled for an application
  2. Create a user in FusionAuth with a registration to the application
  3. From your application, redirect the user to:
    https://{fusionauth}/oauth2/authorize?
    client_id={app_id}&
    redirect_uri={your_callback}&
    response_type=code&
    scope=openid&
    idp_hint={idp_id}&
    prompt=login
  4. User authenticates with the external IdP (Google)
  5. FusionAuth displays the start-idp-link page prompting the user to log in
  6. User logs in with their FusionAuth credentials
  7. FusionAuth redirects back to redirect_uri with:
    ?code=xxx&locale=en&state=xxx&userState=Authenticated

Expected Behavior

After the user authenticates on the start-idp-link page, the identity provider link should be created, connecting the external IdP identity to the FusionAuth user.

Actual Behavior

  • The redirect returns userState=Authenticated but no pendingIdPLinkId is provided
  • No identity provider link is created (verified via GET /api/identity-provider/link?userId={userId} returns empty array)
  • The IdP debug log shows: "The link must now be completed using the Link API."

The Problem

The pendingIdPLinkId is only returned in the response body of /api/identity-provider/login (HTTP 232), not as a query parameter in the OAuth redirect. This makes it impossible for the application to complete the pending link when using the hosted login flow.

Related

Forum post with same issue: https://fusionauth.io/community/forum/topic/1551/pending-link-strategy-does-not-complete

Version

1.62.1

Affects Versions

No response

Alternatives / Workarounds

Bypass FusionAuth's OAuth flow for IdP linking. Instead:

  1. Redirect user directly to the external IdP (Google) from your application
  2. Handle the callback in your application
  3. Exchange the authorization code directly with the IdP to get tokens
  4. Extract the user identifier (sub) from the ID token
  5. Call POST /api/identity-provider/link directly with:
    {
    identityProviderLink: {
    identityProviderId: {idp_id},
    identityProviderUserId: {sub_from_idp},
    userId: {fusionauth_user_id},
    displayName: {email},
    token: {refresh_token}
    }
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions