Has anyone successfully used the Account API to bind social accounts?

[fre2d0m]

Refer to this document:
https://docs.logto.io/zh-CN/end-user-flows/account-settings/by-account-api#link-a-new-social-connection

I performed the following steps:

1. Create OAuth Apps on Github, with the Callback URL from logto: http://localhost:3001/callback/9klqhicsjipz2vl0ei8u7
2. Add a login method in logto: Github
3. At this point, authentication and registration can be done normally

Another scenario:

1. When a user registers and logs in using an account and password
2. Enter the account management interface
3. Link a Github social account, and here comes the problem
   I received the following response:

{verificationRecordId: 'n800rh4r3tz4bnomlllp0', authorizationUri: 'https://github.com/login/oauth/authorize?client_id=*******&scope=read%3Auser+user%3Aemail', expiresAt: '2026-01-05T19:40:28.257Z'}

Then it normally redirects to authorizationUri, and at this point, Github shows a warning:

At this point, the complete request link:

https://github.com/login/oauth/authorize?client_id=*********&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Flogto%2Fverifications%2Fsocial%2Fcallback&state=x7a8M8lhXk9KAgPk_mBA9nblG1QsRStB&scope=read%3Auser+user%3Aemail

A problem arises here because Github only allows setting one Authorization callback URL, and this URL has already been preset in Logto.

Therefore, when my application is from a different domain, it is blocked by Github's authentication process.

Has anyone actually successfully completed this social account binding? I looked through the issues and didn't find any similar discussions.

By the way, I can't imagine at all how much room for imagination all these "...." in the documentation can bring me.

[darcyYe]

On GitHub, you can create two different types of apps: GitHub apps and OAuth apps.
Each OAuth app can only set one redirect URI, while GitHub apps can configure multiple redirect URIs.

[fre2d0m]

🤝thx, should this method be done for every type of connector? Or is it a temporary operation belonging to GitHub?

[fre2d0m]

After several attempts, I finally successfully redirected to GitHub to complete the authorization, but when calling the interface, an error occurred:

{
  code: 'verification_record.permission_denied',
  message: 'Permission denied, please re-authenticate.'
}

The same error also occurred on Discord bug-reports channel, but it has not been resolved.

const bindResponse = await fetch(`${logtoConfig.endpoint}api/my-account/identities`, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${accessToken}`,
        'logto-verification-id': verificationRecordId, 
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        connectorId,
        newIdentifierVerificationRecordId: verificationRecordId,
      }),
    });

[darcyYe]

It seems that the verification record ID used as the logto-verification-id should be different from the newIdentifierVerificationRecordId currently used to update identities.

[fre2d0m]

On the browser side, the following results were obtained:

{verificationRecordId: 'rrzdjucod84bvnuueimiw', authorizationUri: 'https://github.com/login/oauth/authorize?client_id…JZ2IO%7ETjmim6tETn&scope=read%3Auser+user%3Aemail', expiresAt: '2026-01-06T09:12:20.546Z'}

verificationRecordId is rrzdjucod84bvnuueimiw
accessToken is NfsEOdREza_IKXsXkNg9dvirRaSiBr3-z_zTPGCXxEU

const verifyResponse = await fetch(`${logtoConfig.endpoint}api/verifications/social/verify`, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${accessToken}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify({
        verificationRecordId,
        connectorData,
      }),
    });

verifyResponse.ok is true, verifyResponse.status is 200

I try to use curl finally:

curl -X POST http://localhost:3001/api/my-account/identities \
  -H 'authorization: Bearer NfsEOdREza_IKXsXkNg9dvirRaSiBr3-z_zTPGCXxEU' -H 'logto-verification-id: rrzdjucod84bvnuueimiw' \
  -H 'content-type: application/json' \
  --data-raw '{"connectorId":"9klqhicsjipz2vl0ei8u7","newIdentifierVerificationRecordId":"rrzdjucod84bvnuueimiw"}'

{"code":"verification_record.permission_denied","message":"Permission denied, please re-authenticate."}

[darcyYe]

As I mentioned earlier, logto-verification-id is the record ID of a previous successful verification, while newIdentifierVerificationRecordId is the ID of the social identity verification record.

[darcyYe]

It seems that you encountered an authentication failure when requesting the /my-account/* APIs.
My suggestion is that you can refer to the code of Logto itself to set up your own process.

[fre2d0m]

I hope to know if there is a successfully implemented minimal demo, as I have encountered the same issue in the Logto cloud version.

[fre2d0m]

1. curl -X POST https://[tenant-id].logto.app/api/verifications/social

2. curl -X POST https://[tenant-id].logto.app/api/my-account/identities

Is it still that I'm using the wrong method?

[fre2d0m]

I create issue: #8172