The hosted backend will check the Origin or Referer header on the request and validate that it comes from an origin that matches the domain of the host of the request to FusionAuth. If they do not then we return a 403 regardless of what the CORS configuration is set to.

Ideally to get this to work with the remote instance you may want to try setting a local proxy with "local.fusionauth.io" or similar set to localhost:4000 so that the browser sees this as the same apex domain as FusionAuth.

Utilizing a different port instead of route based paths tends to work better.

Below is an example using express / http-proxy-middleware.

const express = require("express"); const { createProxyMiddleware } = require("http-proxy-middleware"); const app = express(); app.use( "/", createProxyMiddleware({ target: [FUSION_AUTH_HOST_HERE], // example: https://example.fusionauth.io changeOrigin: true, headers: { "X-Forwarded-Proto": "http", "X-Forwarded-Host": "localhost:4001", "X-Forwarded-Port": "4001", "X-Forwarded-Server": "localhost:4001", }, }) ); app.listen(4001);

It's also worth noting that we strongly recommend using the Authorization Code grant and redirecting to FusionAuth's hosted login pages, rather than using the Login API.

This has the following benefits:

you don't have to worry about any other architectural components handling credentials, which are highly valuable to an attacker this solution works across almost all mobile and web applications, whether custom or COTS or OSS, as opposed to being limited to React SPAs you get FusionAuth's app to app single sign-on when there is a new workflow added, implementing it is a matter of configuring FusionAuth correctly rather than modifying your code to add a new component; an example would be adding a social provider or magic links

We understand that this sometimes comes at a cost of UX complexity as you need to sync or at least align your UX between two different systems. This is why we offer the Login API as @Alex-Patterson mentioned; it's an escape hatch if redirecting just won't work.

We also have themes to support customizing the FusionAuth hosted login pages, including this example which uses Tailwind.

Make sure you are running 1.47.1. If you are using docker, you might need to run docker pull to get the latest version.

There's also information in the release notes about how to modify a customized theme:

Due to the necessary change related to adding a CSRF token when performing a federated login, a manual change may be required to your themed login pages. Please read through these details to understand if you will be affected.

If you are using any 3rd party IdP configurations such as OpenID Connect, SAML v2, Google, Facebook with a custom theme, you will need to make a modification to your template in order for federated login to continue to work correctly.

If you are not using any 3rd party IdP configurations, or you are not using a custom theme, no change will be necessary.

If you will be affected by this change, please review the following details and then make the update to your theme as part of your upgrade process.
...

You can add the opentelemtry java agent as described here: https://fusionauth.io/docs/v1/tech/admin-guide/monitor#opentelemetry

We also have an open issue to better support open telemetry with spans. https://github.com/FusionAuth/fusionauth-issues/issues/1665

If you are looking for alerts you can checkout how to setup Prometheus
https://fusionauth.io/docs/v1/tech/tutorials/prometheus

I have the exact same problem. I have a Net6 Web Api project with swagger client configured. I have no claims

I have AddJwtBearer with this settings

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = fusionAuthAuthority;
options.Audience = fusionAuthAudience;
options.RequireHttpsMetadata = false; // DEV only!!
});

and swagger client configured this way

services.AddSwaggerGen(c =>
{
c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
AuthorizationCode = new OpenApiOAuthFlow
{
AuthorizationUrl = new Uri($"{fusionAuthAuthority}oauth2/authorize?audience={fusionAuthAudience}", UriKind.Absolute),
TokenUrl = new Uri($"{fusionAuthAuthority}oauth2/token", UriKind.Absolute),
Scopes = new Dictionary<string, string>() { }

} } }); c.AddSecurityRequirement(new OpenApiSecurityRequirement { { new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" } }, Array.Empty<string>() } }); c.ExampleFilters(); c.DocumentFilter<OrderTagsDocumentFilter>();

});

Any updates on this issue or hints ?

Thanks
Manlio

There is no official way to do this but you can overload one of the custom fields as outlined here.

Here's sample code to do this, assuming that the parameter you want to track is registrationCode.

<script> const queryString = window.location.search; let urlParams = new URLSearchParams(queryString); const registrationCode = urlParams.get('registrationCode'); if (registrationCode) { console.log('New query string found of '+ registrationCode); let input = document.querySelector('.customParam'); input.setAttribute('value', 'registrationCode = ' + registrationCode); console.log(input.type, input.name, input.value); } </script>

Then, in the login form, you want to make sure you have this input field:

<input class="customParam" type="hidden" name="metaData.device.description"/>

The value of metaData.device.description in the webhook event will be the value of the registrationCode parameter.

As of right now, you can grab all your users via this script:

https://github.com/FusionAuth/fusionauth-example-scripts/blob/master/full-user-search/fulluserdownload.sh

And then run this script to give you stats on the links each user has:

https://github.com/FusionAuth/fusionauth-example-scripts/blob/master/full-user-search/ssostats.sh

You may need to edit the latter script if you want to get insight into different identity providers. Look up each identity provide Id via the API or admin UI and update the if clauses to increment the appropriate variable.

@harish_reddy I just want to make sure I understand where you are coming from. If you user signs up with an email address, you want the same response even if they are already signed up? Can you please share some images of how you would like the flow to work? I think this could cause problems and confusion the way I am thinking about it.

@nicolasalevera98 You are right on in that you do not want to send your API key down to the client. If you do that, they will have access to your system. In order to make a call to the APIs you will have to have to secure it on your server and then have the client call the server which has access to the API Key. Now if you enabled the something like the authorization code grant where the user logs in, then they would be able to use their username and password to access the APIs directly.

This can be accomplished through using lambdas. You will want to create a lambda of type JWT Populate. The code will look something like this.

function populate(jwt, user, registration) { var urlToFetch = "http://localhost:9012/api/entity/grant/search?userId=" + user.id; var response = fetch(urlToFetch, { method: "GET", headers: { "Content-Type" : "application/json", "Authorization" : "this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works" } }); if (response.status === 200) { jwt.entityInfo = JSON.parse(response.body); } else { console.error("Error: " + response.status + " " + response.statusText); } }

The go to your application in the admin UI and under the JWT tab, under the Lambda settings section assign that lambda to the 'Access Token populate lambda'

A few things to keep in mind:

Please note the use of port 9012 when calling the API from the lambda. From the documentation "Use port 9012, or the configured value for fusionauth-app.http-local.port, whenever making a FusionAuth API call in a lambda. Doing so minimizes network traffic contention and improves performance." As of this post, you will need the Essentials license for the HTTP Lambda Connect feature.

Here's a more full featured implementation:

import jwt from '@tsndr/cloudflare-worker-jwt'; import dev_jwks from './jwks/dev.json'; function authenticate(handler) { return async function (request, response) { let headers = request.headers; if (!headers.has("Authorization")) { return json_error(401, "No Auth header present"); } let auth_header = headers.get("Authorization"); if (auth_header.indexOf("Bearer ") !== 0) { return json_error(403, "Bad auth header"); } let token = auth_header.slice(7); let verified = await jwt.verify(token, dev_jwks.keys[0], {algorithm: "RS256"}); if (!verified) { return json_error(403, "Bad auth token"); } try { token = jwt.decode(token); } catch (e) { return json_error(403, "Unable to decode token"); } let { header: meta, payload } = token; // TODO: inspect the payload of the jwt return await handler(request, response); }; }

where json_error is an error handler function outside the scope of this example and the JWKS file is downloaded and put into './jwks/dev.json' and the key is known to exist in the first entry in that array.

A more sophisticated version would examine the key id from the token header and find the corresponding public key in the the JWKS array.

The User Support Guide outlines actions customer support reps will need to take w/r/t customers and users managed by FusionAuth.

Okay, so the docs also describe the requirement for testing the applicationId claim:

https://fusionauth.io/docs/v1/tech/core-concepts/authentication-authorization#:~:text=Authorization and Securing Your Application

Unfortunately the application feature Registration->Self-service registration doesn't work for token requests. And OAuth->Require registration doesn't work for password grant type.

@alexiussamson83 With a single FusionAuth Application you can use this with multiple SDK's or API's.

https://fusionauth.io/docs/v1/tech/client-libraries/

I rolled back and installed an elastisearch container. Added the SEARCH_TYPE in the fusionauth deployment and mapped a service to the same RDS DB and it stood up without an issue. Something screwy in the way Fusionauth is connecting to either Postgre or MySQL.

I'm going to have to talk to sales as I want to enable the features temporarily to use it as a POC. Also so I can justify the cost per month for actual support beyond forums.

Thank you for your time.

@mark-robustelli - Apologies for the incorrect subject line. I am trying to redirect once user is setup password from the "Update your password" page. Basically i am trying to redirect to application login page once user is setup their password.

Please find attached password setup page which i need to add redirect URL once password setup is completed.

Screenshot 2023-08-30 at 10.21.33 AM.png

Unfortunately, this lambda will only fire on user registration or complete registration event, not on account page updates.

If you are looking to control how a user can update their profile, another option would be to use our events and webhooks (making them transactional - All webhooks must succeed) to do additional data processing to determine if a user update can succeed.

See the list of events here: https://fusionauth.io/docs/v1/tech/events-webhooks/events/

user.update or user.registration.update might be good events to use.

Currently FusionAuth does not provide additional logging or events for a failed 2FA login.

There are two reasons that a 2FA code would be considered invalid (assuming the code was valid at one point in time):

Expiration. You can control the duration of these codes in the Advanced tab of the edit tenant page by adjusting the external identifier duration for Two-Factor login Another code requested. A user is only allowed one active 2FA code at a time, so if there is a situation where another 2FA code is requested, the other code would be invalidated.

It'd be good to see if you can narrow down the situation where the invalid code method is received to one of those, which may help troubleshoot the root cause.

We have documentation that describes how you can monitor FusionAuth.

Each of the logs that you mention has an API exposed that can be used to consume FusionAuth data into an external system.

At this time, you'll need to write scripts, using the client libraries, to scrape and ingest these logs.

If you are looking to get webhooks into a system, we have an example AWS lambda which pushes webhook events to S3.

@muhammadfatihmaulana434 Ah, if you run both services in docker, you need to use their docker hostnames if they are all in the same network (perhaps using docker-compose). Or you can use host.docker.internal to refer to the host machine, which has ports mapped to each docker image.

https://docs.docker.com/desktop/networking/ has more details.

Alternatively, run the Laravel application outside of docker.