On reading through your linked document, FusionAuth doesn't support this natively. There's no 'sso' endpoint which does what the docs say must be done (checking the signature, creating the new payload, etc...).

You have a couple of options:

file a feature request: https://github.com/fusionauth/fusionauth-issues/issues explaining what you'd like to have done use OIDC for discourse (which should work with FusionAuth out of the box): https://meta.discourse.org/t/openid-connect-authentication-plugin/103632 set up a small proxy server which would receive the SSO request from discourse, present a login screen, and call the FusionAuth Login API to authenticate the user

I'd probably recommend the OIDC route unless there's some reason why it wouldn't work for you.

Solved. The error code coming back is [duplicate]user.email. I just need to ignore that!

Yup, you got it!

And also HMAC keys will never be displayed in the public-key list. Since they are symmetric, displaying them in that list would let anyone viewing them sign JWTs indistinguishable from those signed by FusionAuth.

Should I be working with the email template or is that for something else?

I'd look at email templates and tweaking those, yes. https://fusionauth.io/docs/v1/tech/email-templates/email-templates/ has some docs about this.

Is a client_id and a user_id (returned from registration) the same thing?

Nope. client_id represents an application in FusionAuth. user_id represents a user.

Hope that helps, glad you're getting close!

Sure, you want to use the patch identity provider method: https://github.com/FusionAuth/fusionauth-java-client/blob/master/src/main/java/io/fusionauth/client/FusionAuthClient.java#L1575

You'll want to update the application configuration section: https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Be aware that there is an open issue regarding this: https://github.com/FusionAuth/fusionauth-issues/issues/767 If this affects you, please upvote it so that it moves up in our priority list.

This also may be worth reading: https://fusionauth.io/community/forum/topic/510/update-identity-provider

Ok, I've created a feature request.

Hi @richb201 ,

Are you asking what the security implications are for not using passwords at all?

That's hard to give general guidance on, as that depends on how good users are at keeping their email accounts safe.

In general it's going to be pretty good because people tend to care more about their email accounts and pay more attention to them than some random account they signed up for 6 months ago and haven't checked since.

Also in favor of this is the fact that the passwordless codes are time limited (configurable in the tenant).

But, as I'm sure you can understand, I can't do a thorough security analysis because I don't know the full details of your scenario.

Nope, this is the recommended solution.

If you think there's a valid use case for having this be supported natively (without the webhook), please file an issue with a feature request, including as many details as you can: https://github.com/fusionauth/fusionauth-issues/issues

Ah, I see how that could be confusing. Sorry about that. Glad you got it sorted out and it works!

We just did some testing and it appears that JFrog Artifactory can now use FusionAuth as a SAML ID Provider.

Thanks again for the quick work on this issue.

Tom M

'Tis I indeed! Continuing my signature moves of knowing juuuuuust enough to be dangerous to myself and others LOL. I'm checking the settings now, thanks to you and Dan for the support!

@cody-braddock you'll also want to ensure this event is enabled for your Tenant. See Tenants > Edit > Webhooks in the FusionAuth UI.

solved. I needed to type DELETE.

But if I put these in the application, won't this be a security problem?

If you put them in a javascript app, yes. But if they are in the php application only, then it'll be like a database password. Not really a security issue.

You could also inject them as an environment variable or pull from a secrets manager; however you manage your database credentials, I'd suggest doing the same with the client id/secret.

Awesome, glad to hear it! Thanks for letting me know.

Users are shared across tenants, so if you have one person logged in and they visit a different Fusionauth application url, they'll be automatically logged in again (without the need to auth again). I'm not sure that's what you want.

If you register a user to app A and then to app B, they'll be registered in both apps.

If you register a user to app A and then to app A again, I think you'd get an error message, but would have to try that out to be sure.

If you want to try this yourself, you could try richb201+1@gmail and richb201+2@gmail (anything after the + is treated as the same email address by gmail, but different email addresses by fusionauth).

Is FA the best place to have such time of queries or should I create a pipeline and publish updates elsewhere?

I think you have a couple of choices:

build a pipeline based on webhooks, possibly publishing each user to s3 or another datastore querying elasticsearch directly querying fusionauth changing to the database engine

Given your other requirements (the ability to pick off just the phone number and name), I'd test out querying elasticsearch directly, or, if your queries are all simple, switching to the database search engine.

I'd pursue the pipeline approach only if the direct queries didn't perform well, because it's more moving pieces to break.

Is there an API planned which can allow me to get users data with specific fields - name, phone number or just the data field?

This is not currently planned, but feel free to open a feature request with more details. Feel free to reference this post and your previous github comment. I could see that being a useful API change, similar to how you can specify sort fields.

Is it advisable to modify elastic search to index only certain properties and get results directly from there without fetching the database - Bypassing FA APIs? (I have updated the index.max_result_window to the number of results that I am expecting). Is there is way to make those queries through FA?

We pretty much pass through the elasticsearch queries, letting ES do what it is good at. Modifying the elasticsearch index settings shouldn't cause any issues, but is not something we test.

You'll also want to keep an eye on https://github.com/FusionAuth/fusionauth-issues/issues/494 which should make it possible to query directly from fusionauth.

Also there is an issue of the query that FA uses to get the results from PSQL. So there is limit of ~32k even if elastic search is not the limiting factor. https://stackoverflow.com/questions/1009706/postgresql-max-number-of-parameters-in-in-clause.

I don't believe that this limit applies. Have you seen this limit?