Hi Guys,
Your reply helped me as well. Thank you. I'm still struggling with the issue of rewriting /admin when using subpath.
When I click login icon I'm redirected with 302 to $host/admin not $host/fa/admin
This happened after I updated my FA.

location /fa/ { proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'href="/admin/' 'href="/fa/admin/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; proxy_pass http://localhost:9011/; } location ~^/(?<fusionPath>(oauth2|admin|ajax|login|password|js/identityProvider))/ { proxy_pass http://127.0.0.1:9011/$fusionPath/; # https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup#how-to-use-a-proxy proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/admin' 'src="/fa/admin'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; }

@joshua Nope, was able to figure it out. I was sending the request body in JSON format instead of form URL encoded. Sorry for the late response here!

the built-in domain blocking is documented here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#registration-domain-blocking

However:

It only blocks specific domains so you can't block 'all domains except ' It requires an enterprise license

As an alternative, consider a registration transactional webhook which could examine the domain provided by a user and fail if it didn't match a list of your domains: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create

@sander

Thanks for the update. We're bummed that we can't include the mysql connector as part of the docker image.

If FusionAuth is stuck in maintenance mode, this thread might prove useful: https://fusionauth.io/community/forum/topic/135/can-t-get-by-maintenance-mode

Can you give me any more details about the issue?

I would like to add that we have a production instance that is running with less resources with no issues. The production instance has way less users, groups, registrations, applications, etc. So the data seems to have something to do with it.

hi @joshua , we need a special attribute from Response SAML of Google Workspace, the URLImage profile.

Since, on the contrary, the Google IdP that uses fusionAuth incorporates basic user information into its Scope (with the profile urlImage), however it does not contain organizational information.

Hi @lambert-torres

Can you please provide some context as to what you are looking to achieve?

Are you storing this data on the user.data.* fields? How are you storing this data/arrays programmatically?

Thanks,
Josh

Hi @cgonzalez

Can you confirm how quickly you are completing the exchange for a token using the code?

"auth_code_not_found"

The code may not be available if:

It has expired or It as already been used to obtain a token.

Thanks,
Josh

@tashi This failure is related to how you are asking FusionAuth to complete the login.

For apple, you must complete a hybrid grant.

At a high level, here is how you will use the FusionAuth IdP Login API with Apple when you are not using our hosted login pages.

Begin the Authorization Code grant with Apple using a hybrid grant response_type=code id_token. Collect the two tokens code and id_token sent to you by Apple on the redirect URL specified by the redirect_uri query parameter. Send these two values to the FusionAuth IdP Login API. Do not complete the Authorization Code exchange with Apple using the Token endpoint.

Please also note that Apple has a separate configuration for Web and Mobile-based authentication. There are a few open issues that may be worth reviewing as well and could be influencing the behavior you are seeing

https://github.com/FusionAuth/fusionauth-issues/issues/778 https://github.com/FusionAuth/fusionauth-issues/issues/1248

Josh

@markdoner27 This is a far-reaching question. Please feel free to post your question specifically as it relates to FusionAuth and we may be able to provide additional feedback.

-Josh

@pclark

Just checking in, albeit a bit later than anticipated. Was this resolved for you on the latest version of FusionAuth

-Josh

@leandro-menagonzalez

This can be solved by using client-side validation in your theme for the corresponding forgot password page. On the authorize page you would pull in JS to check the users email in any manner you see fit.

https://fusionauth.io/docs/v1/tech/apis/themes
https://fusionauth.io/docs/v1/tech/themes/

Josh

@dan said in fusionauth with flutter webapp:

https://github.com/FusionAuth/fusionauth-example-flutter-dart/ _Maui/

I would greatly appreciate if anyone can show how to use flutter webpp with fusionauth

@dan Thanks for the response.

Basically I want to do third party service authorization like described here: https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth#third-party-service-authorization

The workflow for this mode looks like this:

A user visits TWGTL and logs into their account. They click the “My Profile” link. On their account page, they click the “Connect your WUPHF account” button. This button takes them over to WUPHF’s OAuth server. They log in to WUPHF. WUPHF presents the user with the “permission grant screen” and asks if TWGTL can WUPHF on their behalf. The user grants TWGTL this permission. WUPHF redirects the browser back to TWGTL where it calls WUPHF’s OAuth server to get an access token. TWGTL stores the access token in its database and can now call WUPHF APIs on behalf of the user. Success!

I don't have a web user interface for the user to log in at, instead it is a custom application. But I do have a web service to handle the OAuth flow so when the user click's the "Connect to third-party" button in the application it opens a browser window for them to go through the authorization process.

According to https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect#complete-an-openid-connect-login, I need an authorization code from the OIDC identity provider. The problem I'm stuck on is that calling fusionauth/oauth2/authorize is trying to complete the link instead of returning the authorization code.

I'm guessing the way I am trying to use the authorize endpoint is not the intended way. I was trying to use FusionAuth to acquire the authorization code from the OIDC identity provider so that I would not have to maintain my client code and secret in two places. Am I just supposed to get the authorization code myself without going through FusionAuth?