RE: SMTP Config with SendGrid..Again

@boniface we're using FA with SendGrid in our DEV environment.

We are using the SMTP server mode.

You will need to:

• Add you host and username from instructions in sendgrid. It is smtp.sendgrid.net and apikey for everyone

• Add the password from your instance under that Change Password flipper button in FA

• Make sure your default from address is registered in SendGrid as an actual domain and address that you can send from - I believe this is necessary for all SendGrid email, otherwise you could use them for SPAM

That's all we did and it worked for us.

Note since this is DEV, we are not using TLS or SSL security. But we will in QA and Production

We are setting this post_logout_redirect_uri on our log off:

https://auth.apps-d.XXX.com/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A12620%2F&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

Which is http://localhost:12620/

However, FusionAuth is just redirecting to its own root url: https://auth.apps-d.XXX.com/ instead of the post_logout_redirect_uri

Referring to this post: https://fusionauth.io/community/forum/topic/35/is-there-a-way-to-have-a-user-who-logs-out-of-an-application-go-back-to-wherever-they-started-from-at-login

It says the logout redirect url must be an authorized redirect url, which it is:

However, FusionAuth is not redirecting as you can see from this debug session and is just going to root url instead of post_logout_redirect_uri

How do we get FusionAuth to redirect to the passed post_logout_redirect_uri ??

Thanks.

Ok this is how I fixed the post_logout_redirect_uri issue.

In my logoff method, I did this to remove the local cookies

Then because I could not use the Owin..OIDC..PostLogoutRedirectUri in the OpenIdConnectAuthenticationOptions to pass the client_id

At the end of the logoff method, I just did this:

This removed the FusionAuth session, does the log out, and redirects to my home page

Thanks to all who tried to help out

In our dashboard, we see people logging in but the Application has no name.

Where are these people logging in if not the applications we have people registered to or that they have access to where we do not have Require Registration ticked?

Yeah, something is definitely going on with 1.36.4, Nashorn (original engine), and JWT populate versus what 1.26 did

Very simple examples seem to work with like only a few lines of script.

But as the javascript gets longer, then things start breaking with a 502 error on FusionAuth (FA)

I wish there was better error logs but we are still getting next to nothing from STDOUT from the FA server.

I have spent hours today putting in little bits of script to see what errors

And the conditions seem random

Did 1.36.4 Nashorn get more strict, does it not like variables to be named certain things (even though I have checked against the list of reserved words ), or maybe we need to reindex the ElasticSearch against our users again?

One of the weirder bugs is, I'll have a ton of script that works and then I put in something as simple as:

jwt.dealer_number = "xxx";

And then I start erroring again, if I comment or delete this new script everything starts working again.

Does anyone have these issues with the lambdas since upgrading to 1.36.4 or going from a database user search to elastic search search?

Ok, now I think this a lambda error bug in 1.36.4

and nothing to do with id_token token

Still researching...

So I was able to get us 75% fixed by disabling the authentication token and keeping only the I'd token enabled on the FA application side.

But I still need to fix it to get the rest of the customers into the app.

Does anyone know a better way to diagnose or see what is causing the 502 errors?

I'm surprised the dev tools or FA logs have no other details.

Thanks

We recently upgraded our AKS instance of FusionAuth (FA) from Version 1.26 to 1.36.4 to use ElasticSearch user search.

This introduced errors with "response_type=id_token token" OIDC logins.

We did not update the receiving service provider or the FA application.

But now when we run the login to the service provider we get a 502 error when POST to https://zzz.com/oauth2/authorize after logging into FA:

I have been playing around with the

• Access Token signing key
• Id Token signing key

sections under JWT section of the FA application.

But I still get an error if I leave either setting in RS256 or RS256 - 4096 length

If I update the application to HS256 - I do not get a 502 error on login to the service provider, but now the token will not decode and the service provider will not load

If I change the response_type from "id_token token" to just "id_token" I do not get a 502 error on login to the service provider, but now the token will not decode and the service provider will not load

Did something change in how FA handles response_type "id_token token" and RS256 signing keys from V 1.26 to 1.36.4?

As I said the only difference now is that we upgraded FA.

Also, like in the Docker instructions we pipe standard out to AKS logging, so I can do kubectl logs to see the logs, but FA does not output anything meaningful:

Is there anyway to debug what is going on with the new version?

By just seeing a 502 error page after logging in and no meaningful logs in either FA AKS logs or browser developer tools means I am just trying many different things to figure out why we cannot log into this service provider anymore.

Thanks

@dan I'll take a look, but I thought those directions did not pertain to us because I want our FA instance to be the IDP that the user clicks a link from. For example, we have a page out on the internet, the user want to get to some SAML SP, which our FA is the IDP for, so they click this link:

https://myFAurl.com/samlv2/login/zzzz-222-111-000-yyy

As provided in the FA SAML v2 Integration details

But it looks like this is the only place to enter SP metadata info, correct?

We are on FA V1.26.1.

We are trying to do a demo for our business of FA as identity provider (IDP) to an external service provider (SP).

This is the SAML test we are using: https://samltest.id/

We are able to make the SP initiated SSO work.

But to make IDP initiated work, we need to upload the SP's metadata.

However, this post comment from @dan mentions that FA does not allow upload of metadata

So now how and where do we put the SP's metadata?

Is it a lambda? The application's SAML section does not seems to have a pop out or section to put the SP info in.

Thanks for any help.

@boniface we're using FA with SendGrid in our DEV environment.

We are using the SMTP server mode.

You will need to:

• Add you host and username from instructions in sendgrid. It is smtp.sendgrid.net and apikey for everyone

• Add the password from your instance under that Change Password flipper button in FA

• Make sure your default from address is registered in SendGrid as an actual domain and address that you can send from - I believe this is necessary for all SendGrid email, otherwise you could use them for SPAM

That's all we did and it worked for us.

Note since this is DEV, we are not using TLS or SSL security. But we will in QA and Production

@dan Is there any other way to assign a themed UI in the same tenant id if the client ids are different?

For example, we have the same user base from two different companies in our FusionAuth (FA) tenant.

Both companies can access the same applications that we host as defined in the applications section of FA.

However, one of the companies has a specific application that they host, which we restrict only to them by the client id of the application.

It would be nice to show a different logo on the oauth2/authorize screen when a specific clientId shows up in the querystring of oauth2/authorize

Is this possible?

We have three FusionAuth environments - Dev, QA, Production. Our UI dev is developing a custom theme in the Dev environment for us.

How do we DevOps or programmatically move her theme changes from Dev to QA then Production?

It looks like we can transport with the API using Theme Update Endpoints and sharing environment API keys so one environment can see the next environment to copy the themes over.

But is there a better way?

Thanks.