FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Categories
    3. Q&A
    Log in to post
    Load new posts
    • Recently Replied
    • Recently Created
    • Most Posts
    • Most Votes
    • Most Views
    • A

      How to use FusionAuth JWT token and claims with Hasura GraphQL to authenticate GraphQL requests

      • • atakan
      4
      2
      Votes
      4
      Posts
      19.8k
      Views

      A

      @dan you're welcome! 🙂

    • danD

      What open source and commercial packages are known to work with FusionAuth?

      commercial compatibility open source packages • • dan
      6
      0
      Votes
      6
      Posts
      18.1k
      Views

      robotdanR

      All of the new IdPs added in 1.28.0. Twitch, Steam, Xbox, Sony PSN, and Epic Games.

    • N

      Unsolved Send email to set up password - This feature is currently not enabled, see the tenant email configuration

      • • nate
      2
      0
      Votes
      2
      Posts
      8
      Views

      mark.robustelliM

      @nate Can you successfully Send test email from Tenants -> Select Edit from desired Tenant -> Email in the AdminUI? This will test if your SMTP settings are correct.

    • J

      Unsolved SAML CSRF token issue

      • • joseantonio
      5
      0
      Votes
      5
      Posts
      5.0k
      Views

      J

      @mark-robustelli
      Thanks I just did that.
      https://github.com/FusionAuth/fusionauth-issues/issues/3113

    • E

      Unsolved Unable to Obtain Tenant-Signed Access Token for Data-Plane Apps in a Multi-Client, Multi-Application FusionAuth Architecture

      • • ezequiel.rebasa
      4
      0
      Votes
      4
      Posts
      45
      Views

      mark.robustelliM

      @ezequiel-rebasa said in Unable to Obtain Tenant-Signed Access Token for Data-Plane Apps in a Multi-Client, Multi-Application FusionAuth Architecture:

      prompt=none

      OK a few things. One is it looks like there are a few open issues #521 and #2208 around FusionAuth not supporting the "prompt=none" parameter.

      I may be missing something here, but using lambdas, I as able to hit the login event for both Tenants when logging in. I image you could make the changes you needed there.

      I set up FusionAuth so that I have 2 Tenants Default and Test Tenant.

      In Default there is the FA Login Master application.

      I the Test Tenant I have the ExampleDotNetApp application.

      I set up an Identify Provider named FusionAuth Default Tenant FA Login Master using the FA Login Master application as the (IdP) and enabled it on the Test Tenant ExampleDotNetApp. I created a lambda named "FA Default OpenID Reconcile" of type OpenId Connect reconcile.

      The order the Lamda's were executed were as follows:

      "FA Default Access Token Populate" of type JWT populate on FA Login Master

      "FA Default OpenID Reconcile" on FusionAuth Default Tenant FA Login Master

      "ExampleDotNetApp Access Token Populate" of type JWT populate on ExampleDotNetApp.

      You could use potentially use any of those to inject info you need on the JWT.
      **Please not that Lambda HTTP Connect is only available in an Essentials or Enterprise plan.

      When I add a favoriteColor in the "ExampleDotNetApp Access Token Populate" lambda, I am able to see it in the ExampleDotNetApp application after logging in.

      I would think with the access to those lambdas, you may be able to accomplish what you are trying to do.

    • P

      Unsolved Email verification fails in new incognito mode

      • • pocfused
      4
      0
      Votes
      4
      Posts
      352
      Views

      mark.robustelliM

      @pocfused said in Email verification fails in new incognito mode:

      https://fusionauth.io/community/forum/topic/1406/link-in-email-verification-not-working-first-time

      Glad you were able to solve your issue.

      As far as the automatically verify the email part. What settings do you have for Applications -> Your Application -> Registration -> Verification strategy? There is a setting Clickable link. Is that what you are after?

      Another thought would simply turning off Verify registrations in the Applications -> Your Application -> Registation tab work for you or do you still want the user to actually have to click on a link? (It would make sense to ensure the user owns the email address.)

      You could also do something like provide a custom template and direct them to your application and then automatically verify them using the APIs. Check out this blog post.

      Good luck.

    • danD

      Solved Can I offer "login with yahoo" using FusionAuth?

      yahoo login federation social logins • • dan
      2
      0
      Votes
      2
      Posts
      34
      Views

      danD

      Yes. You can use FusionAuth's OpenID Connect Identity Provider.

      I did this a few weeks ago, so am writing these instructions from memory.

      Prerequisites:

      A yahoo account A running FusionAuth instance (localhost is fine)

      Steps:

      Go to the Yahoo! developer network and create an app. The redirect URI for Yahoo is https://<your instance>/oauth2/callback Save off the provided Client ID (Consumer Key) and Client Secret (Consumer Secret). Then go to FusionAuth and create an OpenID Connect Identity Provider: <your instance>/admin/identity-provider/add/OpenIDConnect Put the Client ID (Consumer Key) and Client Secret (Consumer Secret) into the Client Id and Client secret fields, respectively. Uncheck Discover Endpoints. Manually configure the endpoints: Set the Authorization Endpoint to https://api.login.yahoo.com/oauth2/request_auth Set the Token Endpoint to https://api.login.yahoo.com/oauth2/get_token Set the Userinfo Endpoint to https://api.login.yahoo.com/openid/v1/userinfo Set the Scope to openid email profile and any other scopes you might need. (I was unable to find an authoritative list, but here's info about the mail scopes.) Update the Button text and Button image as needed. Enable it for applications as needed. Save the Identity Provider.
    • J

      Unsolved Populate the First Name and Last Name when logging in with Google.

      • • jakub.hajto
      2
      0
      Votes
      2
      Posts
      470
      Views

      mark.robustelliM

      @jakub-hajto , you may want to check out the Google Reconcile Lambda documentation. I also found this post that may be useful for you.

    • E

      Unsolved Logout with multiple subdomains

      logout domains • • ext_figuvini
      6
      0
      Votes
      6
      Posts
      920
      Views

      B

      @mark-robustelli said in Logout with multiple subdomains:

      @ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

      Your point is correct. Creating a separate application for each subdomain is a reasonable and correct solution.
      When a user logs out of the SSO system, FusionAuth will call the logout URLs defined in each configured application in turn. This allows each application to clean up its own session. Pretty good solution

    • danD

      Solved Receiving 502 errors when using Cloudflare in front of FusionAuth

      502 proxy cloudflare error • • dan
      2
      0
      Votes
      2
      Posts
      80
      Views

      danD

      This is due to non-ASCII characters in headers causing an issue in the FusionAuth parsing code. Cloudflare sends headers with non-ASCII characters (such as cf-region: SĂŁo Paulo) which triggers this issue.

      This is a java-http bug that was fixed in 2024, and released in FusionAuth version 1.51.2.

      So, two options:

      upgrade to a version of FusionAuth 1.51.2 or newer. This is the recommended approach, but may require some work. as an interim workaround, you can disable the "Add visitor location headers" option from your CloudFlare console. This should not have any negative impact, since we do not inspect those headers.
    • V

      Unsolved can't use fusion auth react sdk when fusion auth server runs locally on fusionauth.localhost:

      • • valerii15298
      3
      0
      Votes
      3
      Posts
      1.8k
      Views

      I

      @valerii15298 said in can't use fusion auth react sdk when fusion auth server runs locally on fusionauth.localhost::

      I followed react sdk example https://github.com/FusionAuth/fusionauth-quickstart-javascript-react-web/tree/main

      I changed in kickstart tenant issuer to

      "issuer": "http://fusionauth.localhost:9011"

      and variables to

      "allowedOrigin": "http://fusionauth.localhost:4000", "authorizedRedirectURL": "http://fusionauth.localhost:4000", "authorizedPostLogoutURL": "http://fusionauth.localhost:4000/logged-out", "authorizedOriginURL": "http://fusionauth.localhost:4000", "logoutURL": "http://fusionauth.localhost:4000",

      and started fusion auth in docker compose, also specified env var:

      FUSIONAUTH_APP_URL=http://fusionauth.localhost:9011

      For react sdk use this config:

      const config: FusionAuthProviderConfig = { clientId: "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e", // even started my app under the same local domain redirectUri: "http://fusionauth.localhost:4000", postLogoutRedirectUri: "http://localhost:4000/logged-out", // serverUrl: "http://localhost:9011", // this one works serverUrl: "http://fusionauth.localhost:9011", shouldAutoFetchUserInfo: true, shouldAutoRefresh: true, onRedirect: (state?: string) => { console.log(`Redirect happened with state value: ${state}`); }, scope: "openid email profile offline_access", };

      And when I log in and am redirected back to my app, fusion auth hook does not show me that I am logged in(it does not even send any requests I checked network). But when I strip everywhere fusionauth. prefix then everything works fine. Why does not fusion auth work locally with custom domains?

      Cookies on my local app fusionauth.localhost:4000 are also saved after I logged in: https://freeimage.host/i/3FVbSJsWacky Flip

      And when I click login button again (or invoke startLogin function from useFusionAuth hook) I am redirected right away to the app since I am logged in. But isLoggedIn is false and useFusionAuth hook does not recognize that user is logged in.

      (I have mapped fusionauth.localhost to localhost in my hosts file locally)

      #docker #react-sdk

      Set SameSite=None; Secure explicitly on the FusionAuth Cookie: this tells the browser to send the cookie with all requests, even cross-site requests. SameSite=None requires the Secure attribute, meaning the cookie will only be sent over HTTPS. Since you are using http://, this won't work directly without HTTPS set up locally.

    • E

      Unsolved Adding supplementary user data

      user data userinfo self hosted • • evanm
      6
      0
      Votes
      6
      Posts
      7.8k
      Views

      S

      @Alex-Patterson tunnel rush said in Adding supplementary user data:

      @evanm Yes you can use the sub inside of the JWT when making any API call to your backend. In your database this will be a unique Id for the user. You can even get more details about the user from FusionAuth by calling the User endpoints.

      https://fusionauth.io/docs/apis/users#response-1

      Thanks for sharing!!

    • L

      Unsolved nextAuth SignOut and revoking app sessions

      • • laurahernandez
      5
      0
      Votes
      5
      Posts
      953
      Views

      L

      @mark-robustelli Yes, it's all working. After the logout flow executes, the sessions that were being left behind on FusionAuth are now being revoked properly. Thanks.

    • H

      Unsolved Proxy IP Issue

      • • haziqt
      2
      0
      Votes
      2
      Posts
      635
      Views

      mark.robustelliM

      @haziqt have you taken a look at the documentation on How To Us a Proxy? There are a few headers you will need to add.

    • R

      Unsolved Cookie for multiple environments on the same root domain

      • • robert.regnier
      2
      0
      Votes
      2
      Posts
      661
      Views

      mark.robustelliM

      @robert-regnier Unfortunately, it looks FusionAuth does not support this. I did find an
      open issue that you may want to upvote if it is in fact the same issue you are experiencing.

      You may also want to check out this blog. It talks about a custom domain using one of FusionAuth's hosting packages, but think it should work in your case as well.

      Does anyone else have a similar setup? How did you implement it?

    • A

      Solved How to distinguish between Google Logins and traditional email+pwd logins?

      • • admin 8
      12
      0
      Votes
      12
      Posts
      11.3k
      Views

      A

      @owork138 Thank you so much for the detailed and thoughtful explanation. Your insights have helped clarify the likely cause of the confusion with the authentication setup in our FusionAuth application. Understanding that the lack of distinction in the session data may stem from FusionAuth’s default handling—and that customization in our Express.js logic might be required—gives us a clear direction to move forward.

      We truly appreciate the time and effort you put into outlining potential solutions. We'll be reviewing our current middleware and exploring the recommended approach to better capture identity provider information during authentication.

      Thanks again for your support!

    • J

      Unsolved Enquiry Regarding FusionAuth Evaluation and Access Management Capabilities

      • • jay.saxophone383
      4
      0
      Votes
      4
      Posts
      1.3k
      Views

      mark.robustelliM

      @jay-saxophone383 I do believe you can get FusionAuth to work as you described here. Here are some links that may give you a little more detail.

      SAML v2 with ADFS

      OpenID Connect with Azure AD

      Enabling Single Sign-On in an Organization

      Product Update

      As mentioned above, some of the features described are only available with paid planes and if you need to test them out, you will want to contact FusionAuth and see what can be worked out.

    • W

      Unsolved Can You Create Read-Only Roles in FusionAuth?

      login logins • • wesley
      2
      0
      Votes
      2
      Posts
      8.1k
      Views

      W

      Existing Role Limitations in FusionAuth FusionAuth provides predefined Admin UI roles, which are not modifiable. You can review the available roles here:
      FusionAuth Admin UI Roles The default FusionAuth application roles cannot be changed, which means read-only roles are not currently available. Requesting Read-Only Roles as a Feature FusionAuth does not currently support read-only access roles for applications or tenants. The likely reason for this is that users who need to view application/tenant properties often also need to update them. However, you can submit a feature request to suggest adding read-only roles:
      Submit a Feature Request Workaround: Implement a Custom Read-Only View

      If immediate read-only access is required, consider:

      Using the FusionAuth APIs to create a custom dashboard where users can view but not edit data. Relevant APIs for this purpose: Application API Tenant API

      Summary

      No built-in read-only roles exist for applications or tenants. FusionAuth Admin UI roles are not modifiable. You can request read-only roles as a feature via GitHub. A workaround is to build a custom, API-based read-only view.
    • R

      Unsolved Getting 403 : disallowed_useragent with Google Auth

      • • robin.singh
      2
      0
      Votes
      2
      Posts
      5.9k
      Views

      mark.robustelliM

      @robin-singh said in Getting 403 : disallowed_useragent with Google Auth:

      We have android/iOS app where authentication redirects to fusionauth login page.
      And here we have Facebook/Google login setup.
      Facebook and native login is working fine but with Google login getting Error 403: disallowed_useragent.

      Is there any way to directly open sign in for google which will send data to fusion auth only.

      Are you trying to open the login in your application? Maybe try to use the system browser to up the Google login and see if that works. Google disallows OAuth login flows inside embedded web views (like those used in many mobile apps).

    • danD

      Solved Getting custom information from the hosted login pages into the JWT

      jwt custom claims login • • dan
      2
      0
      Votes
      2
      Posts
      846
      Views

      danD

      This is not available today without some glue code.

      Currently our suggestion is to use Javascript on the Login page to jam the claim into a meta field that is shown on a Webhook payload, like jamming stuff into event.info.deviceDescription .

      Then you create user.login.success webhook, making sure it is transactional. On login, the event is fired that off to your system and then you extract the claim off the event.info.deviceDescription field and make a PATCH call to FusionAuth. In that PATCH call, you add this to a field on user.data.x.

      Then once that PATCH is successful, the 200 response back to the user.login.success event which completes the login and triggers the JWT populate lambda. That lambda extracts the claim off the user.data.x field and puts it into the JWT.

      It's not pretty but it is the only way to have this work for now. (For self-service registration you can use a custom hidden field, much easier.)

      Relevant docs:

      https://fusionauth.io/docs/extend/code/lambdas/jwt-populate https://fusionauth.io/docs/extend/events-and-webhooks/events/user-login-success https://fusionauth.io/docs/apis/users#update-a-user