@vatsal We did not

Hello there,
I feels like you are encountering some complex issues with running FusionAuth in Azure Container Apps and using KrakenD as a proxy.

For the Proxy Configuration Warning, be ensure that your FusionAuth instance is aware of the correct external URL and headers. You might need to set the FUSIONAUTH_URL environment variable appropriately.

Releated KrakenD, you could configure it to correctly handle the necessary headers for FusionAuth. Be sure your KrakenD configuration includes the necessary routes and headers for FusionAuth's admin and OAuth endpoints.

Consider checking the FusionAuth and KrakenD documentation for any specific configurations needed for Azure environments.

If the issue still did not get solved, you might want to reach out to FusionAuth support directly for more tailored assistance.

Hope it helps.

@tony-blank yes please help me.

Wonderful blog post. I found it very helpful and informative. Solar

Any news?

@egg said in Maximum lifetime of refresh token not honored? (sliding window configuration):

I am configuring my Tenant with a refresh token expiration policy of "sliding window with maximum lifetime". I have configured the maximum lifetime to 240 minutes, but the refresh token is actually expiring after 30 minutes.

The "sliding window with maximum lifetime" policy should allow the refresh token to remain valid as long as it's used within the configured lifetime, which in your case is set to 240 minutes.

@zaalbarxx sorry for the delay. I might be missing it (sorry not a PHP person) but I don't see where that confusion comes into play. I know that some of our docs had to get updated because of a change that we made during our 1.50 release that required to request further details in our scopes request.

This release makes significant changes to the default behavior of new Applications with regard to scopes in OAuth workflows. The database migration will update existing Applications to behave in a backwards compatible manner. See the OAuth Scopes documentation for more information, in particular the Relationship, Unknown scope policy, and Scope handling policy configurations.

https://fusionauth.io/docs/release-notes/#version-1-50-0

Let me know if that still isn't making sense, or if there is a spot you were hung up on and I would be happy to update our docs. Or even better feel free to add a PR.

@mark-robustelli Hi, Mark. This is a great idea I didn't even think of. Thank you very much. It is a workaround anyway, but maybe it will allow me to complete PoC and wait for the proper invite flow to be implemented in FA.

Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth! 🙂

A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

PS: Long live OAuth!

@alan-rutter When it comes to account recovery in a passwordless login system, the most recommended method is to use a self-service approach. This means allowing users to recover their accounts themselves, which not only saves administrative costs but also saves the user's time. The simplest form of account recovery, and the one most amenable to automation, is a “forgot password” flow. This should be part of any Customer Identity and Access Management (CIAM) system.

In the context of passwordless authentication, this could involve sending a one-time code or a magic link to the user's registered email or phone number. The user can then use this code or link to authenticate themselves and regain access to their account. This method is secure and user-friendly, as it does not require the user to remember any passwords.

For more information, you can refer to these articles on account recovery and passwordless authentication.