@marcos-muller,

Welcome to the FusionAuth community!

It sounds like you want access tokens from APP A + B to be read and accepted by APP C. Is that correct?

If so, I would recommend exploring Single Sign On.

SSO blog article. SSO from our documentation

I hope this helps!

Thanks,
Josh

@bogorad,

Glad you got it figured out!

Dropping a link here for future viewers
https://fusionauth.io/docs/v1/tech/apis/users/#search-for-users

Josh

Just wanted to update. A user opened: https://github.com/FusionAuth/fusionauth-dart-client/issues/7

To clear things up, with a public client like a mobile application, you can't safely store a client secret (it'll be shared among all the native apps and can be found via decompilation).

In this scenario, you should disable Require authentication in the FusionAuth Application configuration and use PKCE to secure communication with the Token endpoint.

You can use the exchangeOAuthCodeForAccessTokenUsingPKCE client method to do so.

This is also outlined here: https://fusionauth.io/docs/v1/tech/client-libraries/dart/

Would it be possible to change the Query to something like:

DELETE FROM user_registrations_application_roles WHERE user_registrations_id IN ( SELECT user_registrations.id FROM user_registrations WHERE user_registrations.id = user_registrations_application_roles.application_roles_id (...) )

Hey Joshua,

Thank you so much for all the help. I have disabled the auto delete function for now. I believe the best way to have auto delete unverified users action enabled is to force a user to verify their email before they are allowed entrance into the app.

Thankfully such a functionality is pretty easy for me to enable on the front and backend of the app.

I will take a look at the articles you linked to.

Thanks again,

@joseantonio,

I am checking on this for you; will let you know if I hear anything on a partial upgrade, but it is not one of our current offerings from our Sales/Marketing team.

I suspect that if you were to spin up a few (small) example applications and try writing your own cookies through a proxy, that may give a better understanding of the problem space and available approaches.

I will let you if I hear more

Thanks,
Josh

A user could have a separate email address. For example:

user signs up for application a, which takes an email address and a password user then signs up for application b, which takes a username and password, but has email verification enabled

If that isn't the case, you shouldn't enable email verification, since FusionAuth will have no way of sending the email .

Does that help?

@richb201 said in missing redirect_uri:

Thanks Dan. When you say "run a search" on the server, do you mean "try to start passwordless log in and review the error message", if it fails?

I mean use the user search API in your server side code. Sorry if I was unclear. You could do that on a page on your site.

I am not sure how to set up the security with FA with passwordless. How will I keep a user from just going directly to one of my pages anywhere on my site?

Typically you want to have your server side code save off in a session whether the user is logged in or not. Then you can have any of your web application show different messages or protect pages based on that.

Is it a a security mistake to allow them to access one of my methods IN MY APP to start passwordless? Should I be handling the passwordless/registration/authentication from a totally different process for security?

I'm not sure what the attack vector is here. The real danger with passwordless is:

attacker gets access to a user's email account attacker intercepts email to user

I don't think what you suggest will help with either of those situations, but if I'm missing something, please let me know.

Looks like this is fixed in openjdk 15, so will be picked up when we roll that out (no timeline, but we are on 14 now).

@adam glad you were able to find a workaround.

I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.

I'm not sure, would need to set up a test environment. If you have a support contract, feel free to open a support ticket for us to do more investigation.

You could also set up a local proxy to have fusionauth be served over HTTPS (examples here) or you could use ngrok or something similar for your testing.

I'm not sure I understand your question.

The data is available when you retrieve the refresh tokens using, for example, the /api/jwt/refresh endpoint: https://fusionauth.io/docs/v1/tech/apis/jwt/

This helps you distinguish between different devices for an account, if you need to do so.

See also https://fusionauth.io/community/forum/topic/903/is-it-possible-to-limit-the-number-of-devices-a-user-can-login-with for a discussion of this.

You cannot share FusionAuth applications between tenants, unfortunately. They are a tenant scoped object.

If you want to sync application settings across tenants, you can use a client library or the API to script changes.

Hope that helps!

I'm sure the support guys will chime in shortly but you can modify the JWT information with lambdas. Here is the link...

https://fusionauth.io/docs/v1/tech/lambdas/

@sean-hogan2,

Welcome to the FusionAuth Community!

I want to avoid giving too specific advice on architecture in our community forums, but what you have outlined here certainly seems plausible, at least at first pass. Could you elaborate a bit on what you mean regarding 'shell objects for the users'? I will also see if my colleagues have any other feedback for you. If they do, I will be sure to pass it along here.

Regarding the user object, you have the ability to set up a lambda function to add custom functionality.
One can make any number of custom claims on the user object to help you facilitate what you are trying to create (re: 'parameterize the templates'). A good example of this can be found here.

In addition to lambdas, FusionAuth also has significant extensibility through its external identity providers, connectors, and API's which you can mold to your use case. As an aside, if it is possible to do in FusionAuth, it will most certainly be doable through our APIs (some of our customers don't even really use the UI).

I hope this helps!

Thanks,
Josh

{
"aud": "2bea5435-ada0-44cd-a2f2-4935d631d6d8",
"exp": 1612886886,
"iat": 1612883286,
"iss": "acme .com",
"sub": "fdfec11f-6da1-4f7f-8b0f-10aa38c588ed",
"jti": "de6f586b-179a-4b15-9058-b5a2479fe5e6",
"authenticationType": "PASSWORD",
"email": "konstantin.dzekov@example.com",
"email_verified": true,
"applicationId": "2bea5435-ada0-44cd-a2f2-4935d631d6d8",
"roles": [
"admin"
]
}

@richard-allwood,

Welcome to the FusionAuth Community!

FusionAuth acts as an IdP just as Auth0/Okta (albeit with implementation and feature set differentiators), and therefore it will allow you to architect solutions for Authorization and Authentication.

We have a few sample applications which should guide you on your journey.

Angular app Netcore

Please find our client libraries and documentation if you need additional information.

If you are looking for something more specific, or run into trouble, please let us know.

Thanks,
Josh

Hi @egis!

Welcome to the FusionAuth community! Let me see if I can get you pointed in the right direction!

API

I would suggest reviewing our Users API which allows for a flow similar to what you are describing (if I understand you correctly).

https://fusionauth.io/docs/v1/tech/apis/users/#create-a-user

Request Body sendSetPasswordEmail [Boolean] OPTIONAL Defaults to false Indicates to FusionAuth to send the User an email asking them to set their password. The Email Template that is used is configured in the System Configuration setting for Set Password Email Template. If you set this value to true the password field is then ignored, FusionAuth will set the initial password to a securely generated random string. If you have also enabled email verification and do not select to skip verification using the skipVerification parameter, only the setup password email will be sent to the user. Setting up the password using the email sent during this user create operation will implicitly verify the User’s email if it is not already verified. If the SMTP email configuration is not complete, or disabled, this value is ignored. Via UI

Once a user has been added by an admin via the UI, there is an option to send a
toggle to “Send email to setup password." which would reproduce the functionality described above.

Email templates

Remember to select a template in Applications via UI

Roadmap

Is there a chance that this https://github.com/FusionAuth/fusionauth-issues/issues/743#issuecomment-664365516 will be implemented?

While this issue is documented, it not on our short-term road map at this time.

Please review our roadmap guidelines

I hope this helps on your way!

Thanks,
Josh