@thiago-benvenuto

Additional details can be found here

https://fusionauth.io/community/forum/topic/1118/can-i-get-permissions-granted-to-a-user-against-an-entity-in-an-oauth-grant

I have filed an issue below. Feel free to expand or add your own comments as needed.

https://github.com/FusionAuth/fusionauth-issues/issues/1295

Thanks,
Josh

@innospaceauto,

There are a couple of steps that you can take to remedy this.

The first step is to turn on the mail debug logs.

mail.debug=true in the advanced settings on the tenant.

The second step is to confirm that you are able to send a test email.

Additional details can be found in our troubleshooting guide.

https://fusionauth.io/docs/v1/tech/troubleshooting/#troubleshooting-email.

Finally, Gmail, especially with recent security upgrades, may require you to have MFA enabled or not allow apps to access its SMTP servers unless specifically allowed.

I was able to get a test email to send from my personal account by generating an "application password" and using SSL to send.

https://support.google.com/accounts/answer/185833
https://support.google.com/mail/answer/7126229?hl=en

I hope this helps!

Thanks,
Josh

@bergraan,

One more note:

You will want to ensure you are using the client_id on the URL.

To that end, after discussing with the team, I think your URL's may be broken:

Example good URL --> http://localhost:9011/password/change/<code>?<tenan_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&<tenan_id>

should be
⬇ ⬇ ⬇

Example good URL --> http://localhost:9011/password/change/<code>?tenantId=<tenant_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&tenantId=<tenan_id>

I hope this helps!

Thanks,
Josh

That's a bummer about the database backup! Sorry to hear that.

https://fusionauth.io/community/forum/topic/1117/how-can-i-downgrade-an-instance has some advice.

There's no straightforward path, unfortunately.

@richb201

The documentation says that this is optional. But not in my case.

Can you elaborate on where you found this in the doc?

The error should say missing "X-FusionAuth-TenantId"

Can you elaborate on this?

When I get back the "code" do I need to manually convert it to a token, or is this done automatically?

You may want to review our OAuth guide. Using a OAuth2 flow, it is common to have two separate endpoints (authorize and token) to obtain access. The "code" is returned from FusionAuth and is used (in conjunction with a few other possible factors) to obtain an access token (in our typescript client, this is the client.exchangeOAuthCodeForAccessTokenUsingPKCE function)

We do have a few tutorials as well, that show this in action (nodeJS tutorial being one of them)

Lastly, for general housekeeping's sake, this thread is getting a bit long, with a few related posts clumped together. For future questions, if the question is unrelated to the posts immediately above, it might be good to open a new thread.

Hi @gustavo-moreno,

I have removed this post as this is solicitation-focused and at a minimum off-topic for this forum.

Please see our code of conduct here:
https://fusionauth.io/community/forum/topic/1000/code-of-conduct

Thanks,
Josh

You should be able to use the LDAP connector but when configuring at the tenant, set Migrate User to false.

That will ensure that the user data doesn't migrate to FusionAuth. I realize this doesn't address your desire to not grant FusionAuth read credentials. Feel free to file a feature request for that specific feature: https://github.com/fusionauth/fusionauth-issues/issues

Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication.

If this is a requirement, you could do this using a lightweight JSON API you write which talks to LDAP and a generic API connector: https://fusionauth.io/docs/v1/tech/connectors/generic-connector/

Your application needs to kill/destroy its session in the Logout URL route.

For example, see the "Logout page route" here: https://fusionauth.io/docs/v1/tech/guides/single-sign-on/

Do your applications do that?

The reason you got this error is because you forgot to register your java mysql jdbc driver with the application.

Should be like this:

Class.forName("com.mysql.jdbc.Driver");

This forces the driver to register itself, so that Java knows how to handle those database connection strings.

You'll have to read the manual on your specific mysql jdbc driver to find the exact string to place inside the the Class.forName("...") parameter.

@ashok

I think that your initial assessments are correct. You should be able to create an application, and that would generate a unique client secret.

The API below would be where I would start.
https://fusionauth.io/docs/v1/tech/apis/applications/#create-an-application

If you have a few more questions related to the specific technical challenges you see from this approach, we could consider them here as well 🙂

Thanks,
Josh

@naughtly-keller,

I don't disagree that there is a layer of complexity that can come with elastic depending on your configuration. If you would like, you could log a feature request to have the search libraries that you mentioned reviewed for inclusion into future iterations of FusionAuth. I took a look and they seemed very interesting; I appreciate you mentioning it.

In the meantime, if you haven't yet, you can check out the container repo and its search section. There are some pre-configured search settings to be found there.
https://github.com/FusionAuth/fusionauth-containers/tree/master/kubernetes/services.

We also have a helm repo that has been very active.
https://github.com/FusionAuth/charts

Also, I assume you are running a container orchestration service like K8's but if you are using just docker, then you can run this command and have elastic up and running within a single docker container (related link)

curl -o docker-compose.yml https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/docker-compose.yml && curl -o .env https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/.env && docker-compose up

Finally, you can check out the installation guides for additional assistance and context.

https://fusionauth.io/docs/v1/tech/installation-guide/cluster/ https://fusionauth.io/docs/v1/tech/installation-guide/fusionauth-search/ https://fusionauth.io/docs/v1/tech/installation-guide/docker/ https://fusionauth.io/docs/v1/tech/installation-guide/server-layout/

ES does give you the benefits of powerful queries that can be run from right within FusionAuth Admin UI or via the API. I have seen firsthand how this can really help you as your Monthly Active Users projects upwards and you have more data to sort and consume.

I hope this helps!

Thanks,
Josh

A better question may be how are the passwords currently hashed in WordPress?

Once you know that you'll know if one of the off the shelf options will work, or if a custom plugin will need to be written.

https://github.com/FusionAuth/fusionauth-example-password-encryptor

@brian_ls

Thanks for the contribution! I am sure that it will be useful to others along the way!

Thanks,
Josh

Hi @yb98 -

I don't believe that this is currently possible within the Admin UI (but I will update this post if I discover otherwise). You could submit a feature request outlining your use case.

It may be possible to hook something up via the API and lots of custom code (but even then, I am not sure how this would work). You may find some insight here.

Please note, you can set these duration settings on both the tenant and the application level (example below).

roles-app-orginal.png

Thanks,
Josh

@maximiliano-riffo,

Based on the documentation, it does seem that a differentiation can be drawn out, but manually only (see bold below).

Complete the google login API - Doc

(https://fusionauth.io/docs/v1/tech/apis/identity-providers/google/#complete-the-google-login )

The user does not need to exist yet in FusionAuth to utilize this API. The token returned from Google will be used to retrieve the user’s email address, if that user does not yet exist in FusionAuth the user will be created. If create registration has been enabled for this identity provider and the user does not yet have a registration for this application, a registration will be automatically created for the user. The user will be assigned any default roles configured for the application. If create registration has not been enabled, a registration will not be created if one does not yet exist. This last scenario is useful if you wish to manually provision users and then subsequently allow them to login with Google.

So it would seem, without testing this myself, if you disabled create self service registration in your application, and got the 202 code, that might be your cue to hit a registration endpoint to register that user?

registrations.png

Another option may be to enlist the help of a webhook and/or event to watch the registrations and take action based on that.

https://fusionauth.io/docs/v1/tech/events-webhooks/

Let me know if I am understanding correctly or if there is any other clarifying information.

Thanks!
Josh