@j-smutek

Hi, after a long bit of working on this issue.
I am quite certain that it is caused by setting a valid certificate in the configuration.
It happens when you configure it directly in the fusionauth.properties file ssl. Everything appears to work, then you find out you cannot create or edit tenants, and other areas do not work randomly. I would just get at no response in the browser and then this buffer overflow in your logs.. I struggled for quite some time with this. Just writing here so if someone else comes to this point.. Just stop and install a reverse proxy problem solved.

I also think honestly fusionauth's quick guide should include setup with caddy and/or nginx with ssl certs. Really I think it would be best to remove ssl setings and force users to setup a reverse proxy as it is simple to do. But I see that you maybe want flexibility here. I have done this now with Caddy and it works flawlessly.

Thanks again for a great product though and great community support.
Authfusion is by far the easiest alternative to Indentity Server for .net and probably the easiest auth server I found.

@theraloss said in Prevent sending "locale" query string to the redirect URL?:

locale=en_US

When you query the user, does anything show up in the preferred languages? Also, are you using the FusionAuth hosted login pages?

Have you used a network monitor to see if the the local is put into the query string by FusionAuth or the IdP?

It is possible to configure in this way.
You can customize the forgot password email template to display the generated changePasswordId rather than using it as part of the URL.

Two pages will need to be customized for the theme:

Forgot password sent - update this to forward the user to the “Change password form” page. One option to perform this redirect is to use a meta refresh tag Change password form - the default template uses a hidden element to submit the changePasswordId. You can use another form field that the user fills out to submit the code.

FusionAuth hosted pages will require the verification code and updated password to be submitted on the Change Password form page.
Please also note the potential security implications of shortening the verification code to 4 digits instead of the default 32 encoded bytes.

@maysilees I don't believe we have a setting for this but you could add your own lambda, which you would then have to do an API call to check for the number of users.

https://fusionauth.io/docs/extend/code/lambdas/

https://fusionauth.io/docs/extend/code/lambdas/self-service-registration#self-service-registration-validation-lambda

To check the number of users in a specific tenant using the FusionAuth API, you can use the "Search for Users" API endpoint. This endpoint allows you to search for users within a tenant and can be used to count the number of users. You would need to set the tenantId in the search criteria to scope the search to a specific tenant.
Here is an example of how you might use the API to search for all users within a tenant and count them:

FusionAuthClient client = new FusionAuthClient("your-api-key", "http://localhost:9011"); ClientResponse<UserSearchResponse, Errors> response = client.searchUsersByQueryString("tenantId:your-tenant-id"); if (response.wasSuccessful()) { // The total number of users in the tenant can be retrieved from the total field in the response int totalUsersInTenant = response.successResponse.total; System.out.println("Total users in tenant: " + totalUsersInTenant); } else { // Handle error response }

Please replace your-api-key with your actual API key and your-tenant-id with the ID of the tenant you want to search. The searchUsersByQueryString method is used to perform the search, and the total field in the successful response will give you the count of users in the specified tenant.
Note that the above code is a conceptual example based on the information provided in the extracts. The actual implementation may vary depending on the version of the FusionAuth client library you are using and the specific details of your application.
For more details on the "Search for Users" API, you can refer to the FusionAuth API documentation, which would typically be found at the following link: Search for Users API. However, please note that this link was not provided in the extracts, so you should consult the official FusionAuth documentation for the most accurate and up-to-date information.

FusionAuth does allow for extensive customization of themes, which may be used to ensure WCAG compliance.

To create and manage themes, you can navigate to Customizations -> Themes in the FusionAuth UI or API. More here: https://fusionauth.io/docs/customize/look-and-feel/

Themes are written in FreeMarker, which provides a rich template language to customize pages and helpers to suit your needs. This could include adding accessibility features to meet WCAG standards.
If you need to manage complex configurations such as themes programmatically, you can use the FusionAuth CLI.

If you're looking to ensure that your custom theme meets WCAG requirements, you might need to consult WCAG guidelines and ensure that your theme modifications align with those standards. This could involve adding appropriate ARIA labels, ensuring sufficient color contrast, providing keyboard navigation, and more.

@theuniversalvillagers

Hmmm. I'm not sure I understand your question. Can you walk me through what you are trying to do, step by step?

Hi @jacob-fisher,

So you are saying that you have this situation:

In FusionAuth, a user user@example.com

In salesforce, a user user@example.com.

You configure salesforce to use FusionAuth as the source of identity, so there's a Login with FusionAuth button on salesforce.

When you try to log into salesforce in an incognito window, you see a new saleforce user with the email address user@example.com created (so now there are two)?

What are the two user ids? It's possible there is a mismatch and you might need to adjust the apex code.

Is that correct?

@mark-robustelli Thank you. It is an interesting workaround. I think if we apply encryption on top of the generated string value, it will not disclose user's login.

@altear147 I encountered this behavior today when I tried to update the username for a user:

await getFusionAuthClient(tenantId).updateUser(userId, { user: { username, }, });

To my surprise (but probably only the lack of knowledge), this set theusername of the user as specified but also deleted the email just as you described.

I was thinking, okay, let's move on and don't touch username and specify firstName as the only key for the update:

await getFusionAuthClient(tenantId).updateUser(userId, { user: { firstName, }, });

but then I received this error:
16e0e85b-affe-4d49-be46-bf5a05f5d811-image.png

Which I also didn't expect, since I assumed the userId uniquely identifies a user and I don't have to supply more fields to help FusionAuth identify it.

After supplying the exact same things as you did:

await getFusionAuthClient(tenantId).updateUser(userId, { user: { email: email as string, firstName: firstName as string, lastName: lastName as string, mobilePhone: mobilePhone as string, }, });

my user object is getting updated. To clarify, the email input is disabled on my form, and users can only enter first name, last name, and mobile phone.

You can find the complete code here: https://github.com/akoskm/saas/blob/main/app/routes/team_.%24userId.edit.tsx

Hope this helps.

@dan I opened the request. Thanks!

@dan Hello, reaching out to know if this still the same, ie no way to know whether an user has a password or not?

@hendrik-ebbers I am a little confused on the ask. It sounds like you want a user to be able to log into a webpage and then be able to call your apis? Would they call the apis from an interface you provide in the web application or from some other application?

@alex-patterson Thank you for sharing this. I did not even notice this in the documentation. I will give it a try.

@dan said in Retrieving Data using FusionAuth API:

Great! We have a PR out to revisit the search documentation which I just merged. So hopefully that will be clearer for folks in the future.

Back to this comment of yours, I meant that the first line in this screenshot kinda confused me, since I thought that you're searchQuery will be searched only for these fields and not all of the existing fields if you call this this endpoint http://{{dockerhost}}:{{fusionport}}/api/user/search?queryString=*

And also I did not know that I can do something like http://{{dockerhost}}:{{fusionport}}/api/user/search?queryString=tenantId:uuid

@jarrod We just rolled out such an app to one of our clients, and I'm happy to share my experiences with you.

Do we whitelist a large amount of callback URLs?

We haven't. Same as in your case, the user registers through a self-serve sign-up form where they enter the tenant details, such as the subdomain. During tenant creation on our backend, we simply construct the new tenant URLs for login and Oauth (we configure Oauth because we have a desktop app connecting to this same backend).

const newFusionAuthAppConfig = { name: `"${organizationName}"'s Project`, oauthConfiguration: { ...blueprintAppConfig.oauthConfiguration, enabledGrants: [GrantType.authorization_code, GrantType.refresh_token], authorizedRedirectURLs: [`${newAppUrl}/api/oauth-redirect`], logoutURL: `${newAppUrl}/api/logout`, }, loginConfiguration: blueprintAppConfig.loginConfiguration, };

So when the new tenant is set up, it already has everything tenant-specific. We use the default tenant as the blueprint for some of our configurations - blueprintAppConfig.

Do we create an Application per custom domain? (Does this mean we have to sync users?)

This is what we did, but I guess it depends on your use case. For us, it was important that one user can register on different subdomains with the same email.

Do we redirect to the main app and perform some kind of sidechannel/backchannel SSO iframe magic?

I can assure you there's no magic once you correctly set up the tenant creation. The entire front end (React here) works the same as before. Most of the "magic" on the backend is simply realizing from which tenant the request came and constructing a tenant-specific Fusion Auth client to retrieve tenant-specific user details, apps, etc.

FusionAuth's official documentation on multitenant setup was an immense help to us.

@egli If you're using TypeScript/JavaScript you can implement a simple page with inputs and call

const newUserFields = { firstName: form.firstName, lastName: form.lastName, }; await fusionAuthClient.patchUser(user.id, { user: newUserFields, });

or use the Update user REST API to pass firstName and other fields.

@jswgger007 Is it possible that you have a .env.local that would overwrite the default values in .env?

Is this issue happening when you run the app locally or in some other environment?

@kasir-barati Makes sense. Thanks for the feedback!

@whuysentruit

Sure, we welcome feature requests from the community! Members can upvote them and we review the upvotes when considering future development.

Here's the GitHub repo to file the issue in: https://github.com/FusionAuth/fusionauth-issues/issues/

Please feel free to reference this forum post and give as many details as you can. This helps us understand the use case.

More about our roadmap process: https://fusionauth.io/docs/operate/roadmap/roadmap

@jan-1 , unfortunately I don't have a great suggestion for you. It looks like @robotdan is taking a look at the issue you created. I will follow the issue and check back in, once they update it.