@fred-fred

I am not sure if this is a bug, but rather may be a security limit placed by the OAuth protocol that you are implementing through FusionAuth. I will have to check to see if this pattern --- file:///... qualifies as an absolute URI.

In FusionAuth, the only valid redirects are outlined below.

An array of URLs that are the authorized redirect URLs for FusionAuth OAuth. Examples of valid redirect URIs: - https://example.com/redirect - com.myApp://redirect - com.myApp:/redirect AVAILABLE SINCE 1.7.0 You may now use URLs that do not begin with http to support native application redirect. Prior to this version the value will be validated to begin with http. AVAILABLE SINCE 1.12.0 You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/redirect would fail validation as in invalid URL.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
From the OAuth spec

3.1.2. Redirection Endpoint

After completing its interaction with the resource owner, the
authorization server directs the resource owner's user-agent back to
the client. The authorization server redirects the user-agent to the
client's redirection endpoint previously established with the
authorization server during the client registration process or when
making the authorization request.

The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted (per Appendix B) query
component ([RFC3986] Section 3.4), which MUST be retained when adding
additional query parameters. The endpoint URI MUST NOT include a
fragment component.

I usually use Stripo templates. They integrated AMP technology in their builder. And it's all for free.

@sandrat,

Sorry to hear that you are having difficulties.

You guys do the download thing to trial, be a piece of cake but the install isnt nearly as smooth as you think.

Can you elaborate on any difficulties that you had attempting to install FusionAuth locally?

Simple a couple of SPs against your SAML IDP and I will know if we are in the play.

If you could elaborate on what you looking for I may be able to assist further.

Below is our existing documentation:

SAML as IdP:
https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/#overview

SAML as Service Provider:
https://fusionauth.io/docs/v1/tech/samlv2/

Current Limitations:
https://fusionauth.io/docs/v1/tech/reference/limitations/#saml

Thanks,
Josh

@justinfox,

There are a few ways in which you can architect this to ensure the user/entity is authenticated and authorized (reader here) depending on the language and architecture used. The tutorials and guides cover a few different approaches.

https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows/ offers a high-level overview as well.

Lastly, if you decide to use OAuth, you could consult our modern guide to OAuth for more information.

https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth/

Thanks,
Josh

@daniel,

Glad you are trying us out! I will do my best to address your questions.

if the API is an Entity, and mobile app is an application, how roles will be designated to users for the APIs? How do we access them there? Is it done via same approach as in Auth0?

Are you saying that you are looking to have the same roles (they are called permissions the entity types) assigned to an entity and a user? I may need a little more context to better understand. Maybe you could outline how you are expecting this to work in practice.

Side note, we have documentation on this to be found here (you may have already reviewed it).

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/entity-management/
https://site-local.fusionauth.io/docs/v1/tech/apis/entity-management/#undefined

Also there is a question about using Roles by tenants - as we plan to create those roles, while Tenants will be assigning them to their users, is that actually possible?

Roles are scoped to an application per documentation. I might need some additional clarification/context to better address.

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/roles/#overview

Let us know. Happy to help as able!

Thanks,
Josh

@ubaid-rehman

My recommendation would be to use our troubleshooting steps for email.

https://fusionauth.io/docs/v1/tech/troubleshooting/#troubleshooting-email

Especially as it pertains to below.

Enable debugging by navigating to Tenants Your Tenant Edit Advanced SMTP Settings Additional properties and add mail.debug=true.

Let us know if you still have trouble after a further review.

Thanks,
Josh

Hiya @adrian-wild

To confirm, you are using the elastic search search engine?

And the numbers in the list you provided are the number of results you get?

Hiya,

This is an open feature on our issues list:

https://github.com/FusionAuth/fusionauth-issues/issues/77

We want to get to this, but don't have a fixed timeline for this feature right now. Here is our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap/

Hope this helps.

@samet @kbi @shaunladd

After talking some more with colleagues, this error behavior related to your Nginx configuration and not related to FusionAuth directly.

You can check out two reverse proxy repos that are community maintained below for further guidance:

https://github.com/FusionAuth/fusionauth-contrib/tree/master/Reverse Proxy Configurations https://github.com/FusionAuth/fusionauth-containers/pull/61

As I often have to remind myself, when deals with layers of abstraction, it is always best to start with the simplest base layer and build from there. So in this case, a good approach may be to expose the FusionAuth node directly and try to get it working without a proxy. Or try getting a proxy working with FusionAuth on a VM/docker locally (as opposed to the cloud/remote), just to remove variables.

I hope this helps!

Thanks,
Josh

@yb98 thanks for explaining. I don't see an easy way to do what you want with kickstart alone, since you can't set the age of the password programmatically. The same issue would occur if you did this all via an API. The only thing I can think of is to apply the password complexity rules 1 day after system startup. A pain, I know, but that's the only path I see that would work.