@varunghaswala said in FusionAuth as SAML relying party and custom login pages:

<ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}"
Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
<Issuer>${issuer}</Issuer>
<ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
</ns3:AuthnRequest>`;

Ah, great, so it is the ID which needs to be used as the code. I will update the documentation. Thanks so much for confirming.

@ursache-rarress

Thanks for using FusionAuth!

Getting the password via API is not possible.

If you want to migrate away from FusionAuth and need the password hash for that purpose, you can use a database export.

In general, if you are using FusionAuth as your auth server, passwords should remain within FusionAuth and no where else.

@francis-ducharme Hi Francis,

Is this still an issue? I'd review your application configuration (in the 'Applications' tab) to double check that the logout url is correct there.

Also, it'd be helpful to know the version of FusionAuth you are running.

@bvb1992bvb The community edition supports TOTP for MFA, but you have to build your own 'auth setup' page using the APIs and QR code generation libraries.

The account self service pages are part of the paid edition feature set. Those appear to be what you are viewing, but if that's not the case, please let us know.

You can get a free trial of the starter plan for a month from the pricing page: https://fusionauth.io/pricing if that is of interest.

@stephen-saucier-0, This was resolved in 1.36.

https://github.com/FusionAuth/fusionauth-issues/issues/1585

In general, you'll use the JSON defined in the API documentation to build the request. Unfortunately, the Search Event Logs API doc doesn't have sample JSON (I filed an issue) but it does have the fields: https://fusionauth.io/docs/v1/tech/apis/event-logs#search-event-logs

You can also find the EventLogSearchRequest in the client code:

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L1545

This points at https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L1534

However, I'm not sure searching event logs gets you what you are trying to accomplish:

My goal is to grab all the last events, login..., from a specific user based on his email by example.

You probably want to search login records: https://fusionauth.io/docs/v1/tech/apis/login#search-login-records

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L3145

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L3134

Now using v2 endpoints (passing the code_challenge and the code_challenge_method to retrieve the authorization token https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). Fusionauth Microsoft OpenIDConnect provider returns the next error:

Request to the [https://login.microsoftonline.com/<tenant-id>/oauth2/token] endpoint failed. Status code [400]. Error response is { "error" : "invalid_grant", "error_description" : "AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.\r\nTrace ID: c0836075-1551-45ad-9fce-9b7a7716d201\r\nCorrelation ID: 16f33aed-50eb-461a-9740-66299e56fe58\r\nTimestamp: 2022-05-12 15:57:26Z", "error_codes" : [ 50148 ], "timestamp" : "2022-05-12 15:57:26Z", "trace_id" : "c0836075-1551-45ad-9fce-9b7a7716d201", "correlation_id" : "16f33aed-50eb-461a-9740-66299e56fe58", "error_uri" : "https://login.microsoftonline.com/error?code=50148" }

I assume that this is because there is no way to pass this challenge code. Also i Notice that the url used by fusionauth to get the token is a v1 endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/token. So i ask again, is there a way to use v2 endpoints and code_challenge to complete the login flow for Microsoft OpenIdConnect providers?

@vindhyahegde2114

At this time, SSO is only supported if you use the hosted login pages:

Additionally, when you use the hosted login pages, FusionAuth provides transparent single sign on (SSO) between applications as well as support for localization of the user interface.

https://fusionauth.io/docs/v1/tech/core-concepts/integration-points#hosted-login-pages

There's an open issue to expose SSO management via an API: https://github.com/FusionAuth/fusionauth-issues/issues/1515

Please vote it up and/or add a comment about your use case if you'd like.

As a reminder, here's our roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

@dan Thanks for your reply. I have tested the case after disabling Allow implicit verification option along with setting skipVerification field as true but still FusionAuth marking the email as verified.

BTW, I did not receive the email of your reply as there is a typo in the name you mentioned (should be . in place of -). 🙂

@dan Thank you, yes I can use lamba, i did give it a try and it works fine 🙂
The authentication type does works too, but maybe more in a "workaround way".

Thanks

@dan Sorry, so fusionauth interface doesn't provide the user's online status info when jwt provided?

@nicholas-tsaoucis

Sorry to hear that!

You should be able to use the API key from the kickstart file to reset the password of a user. The easiest way is probably to use the Update User API: https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

@soloblacksoul Hiya. Thanks for considering FusionAuth!

We don't have plans for a rust client.

If you are looking to do the authorization code exchange, I'd look at the client library listed here: https://oauth.net/code/rust/

If you are looking to do management of FusionAuth with rust, I'd evaluate building an OpenAPI client: https://fusionauth.io/docs/v1/tech/client-libraries/openapi

If you provide the command to build the rust SDK, I'd happily add it to the github readme.

While it is marked as experimental, there are no plans to change that support.

@dan Issue created here:
https://github.com/FusionAuth/fusionauth-issues/issues/1717

@dan Good afternoon... Thanks for answering... Yeah, it is duplicated.. Sorry it is the first time for me using the FA Forum and Because of that i made the mistake to duplicate the POST.

So, please go ahead and remove this one. Thank you

Also, they are not encrypted, they are just UUIDs being stored in a compact fashion.