This has been fixed in version 1.46.0, which should be released soon.

You can track it at the issue above.

Thanks for reporting, @ndiarmand !

Also, I added some documentation to help folks to find this easier: https://github.com/FusionAuth/fusionauth-site/pull/2219

Should be live in a few minutes.

Since the original post is from two years ago, it's important to consider that the technology landscape and integration options may have evolved since then.

@mangeshp16 The original question is over two years old. Since version 1.42, you can enforce MFA at the tenant level (or the application level if you have the enterprise plan). This means that any user who logs in is required to have MFA. If they do not, they are redirected to a page where they can set it up.

There are other ways to accomplish this. You could build your own MFA page which would call the APIs directly. When a user logs in, you can check to see if they have any twoFactor methods available and if they don't, you can send them to this page.

@dan said in How can I make sure FusionAuth is running when I start it via docker-compose?:

It's not responding at the port 9011, like it should.
Is there a way to test or ping the FusionAuth App to make sure its up and running other than using docker ps -a?

Yes, there are several ways to test or ping the FusionAuth App to check if it's up and running without relying on the docker ps -a command. Here are a few alternative methods:

Curl or wget: You can use the curl or wget command-line tools to send a request to the FusionAuth App's endpoint and check the response. For example, you can run curl http://localhost:9011 or wget http://localhost:9011 to send a GET request to the FusionAuth App running on port 9011. If you receive a valid response, it indicates that the app is up and running.

Telnet: You can use the telnet command to establish a connection to the FusionAuth App's port and check if it's open and responsive. Run telnet localhost 9011 to attempt a connection to the FusionAuth App on port 9011. If the connection is successful, it means the app is running and accepting connections.

Browser access: Simply open a web browser and enter the URL http://localhost:9011 to access the FusionAuth App. If the app is running correctly, you should be able to see the login or landing page.

API client: If the FusionAuth App provides an API, you can use an API client like Postman or cURL to send a request to the API endpoints and verify if you receive the expected responses.

These methods allow you to test the availability and responsiveness of the FusionAuth App without relying on the docker ps -a command or using Docker-specific tools.

Hello, Time unit difference: The timestamps may be stored or represented in different units. For example, one library might use seconds while the other uses milliseconds. This can result in significantly different values for the expiration date.

Timezone handling: The libraries may handle timezones differently, which can affect the calculated expiration date. Make sure that the libraries are using the same timezone or that any necessary conversions are being applied consistently.

Timestamp format: The libraries might use different formats to store or interpret timestamps. Check if the libraries expect timestamps in a specific format and ensure that they are being provided correctly when generating or validating the JWT.

To resolve the issue, you can try the following steps:

Review library documentation: Check the documentation of both the .NET Core and Java client libraries for any specific information regarding timestamp handling, timezone considerations, or timestamp formats.

Verify input values: Ensure that the input values provided to both libraries are consistent and correctly represent the expiration timestamp. Double-check any conversion or formatting steps involved.

Test with sample data: Create a test case with sample data and compare the outputs of both libraries to identify any discrepancies or patterns.

Consult library support or community: If the issue persists, consider reaching out to the library maintainers or their respective communities for further assistance. They may be able to provide insights or suggest specific solutions for your scenario.

@mart

Hmmm. Haven't seen this before.

https://www.jvt.me/posts/2020/08/16/globally-disable-tls-java-httpsurlconnection/ looks interesting.

The java client uses https://github.com/inversoft/restify/ under the covers, so maybe there's some setting in that library? The docs are sparse (some might say not there at all) but the code is reviewable.

Let us know what you find.

@jacksontrevan Yes, this is unfortunately a limitation of cookies.

You could work around that by setting up a DNS alias to local.example.com (assuming FusionAuth is running remotely at auth.example.com).

You can usually set that up by googling for local host in /etc/hosts <platform> which turns up:

https://www.hostinger.com/tutorials/how-to-edit-hosts-file-macos https://www.manageengine.com/network-monitoring/how-to/how-to-add-static-entry.html

@nico-ayala Makes sense. We have some documentation here: https://fusionauth.io/docs/v1/tech/identity-providers/google#custom-parameters

Though that is for setting up an OIDC provider in FusionAuth, it might be somewhat helpful.

There are a couple of things going on here.

First, for account A, I'd recommend setting up a OIDC identity provider for Azure AD. Doc here.

Then, there is the linking to a different account (account B, C and D). You'll want to set up identity providers for these as well.

After you do that, start the authorization process. You aren't going to want to use the hosted pages because this isn't really a login, so you'll want to build the authorize URL with the correct client id and scopes. Send the user off to that when they click 'authorize account B'. This is the 3rd party authorization mode.

Make sure you request the offline_access scope, because FusionAuth only stores refresh tokens on the OIDC identity provider link.

The user will authenticated at Account B and choose to allow the scopes you ask for.

Then, when you get the authorization code (in your controller), don't call the token endpoint. Let FusionAuth do that with the 'Complete' call.

This creates the FusionAuth identity provider link, which will store the refresh token.

Awesome. Now 5 days passes and your user wants to manage account B.

Retrieve the refresh token using the Links API, and present the refresh token to account B for an access token. (This refresh grant is not handled by FusionAuth, but you can review how you'd do it here. Make sure you are performing this grant against the account B IDP, not FusionAuth.) The access token is then presented to the resource servers that require it.

You can repeat the authorization process for account C, D, etc.

One final wrinkle. If the user shares the same email address across the accounts, you are good to go. But if they have different email addresses, make sure to set the Linking Strategy to Pending. After you complete the login, you'll get a pendingIdPLinkId. This can be used to link the user who logged into account A with the user who authorized account B, C, D, etc.

A user account with email of 'foo@example.com' in account A could be linked to a user account with a userid of 1238792389 in account B and a userid of 7ce003a2-10f1-4545-bb25-6cfe2fc7d0e4 in account C.

I was able to recreate the "too many redirects" issue on my end. I received a couple of errors that I was able to resolve and get the app working.

The first error was this: Unable to convert claim 'iss' of type 'class java.lang.String' to URL.

To fix this I made sure the issuer value on the Tenant level was a full URL (e.g. https://fusionauth.io instead of fusionauth.io).

The next error I ran into after that was this: Missing attribute 'name' in attributes.

To fix this one I just needed to make sure the user had a Full Name value on their profile. The default OIDC integration requires that.

I'm sorry, but I cannot see the docker-compose file you are referring to. Please provide me with the docker-compose file so that I can review it and provide you with any assistance you may need to deploy the FusionAuth Docker image on Azure App Service.
@rafal-glebocki said in Fusionauth on azure app service for containers:

Hey,

I want to deploy fusionauth docker image on azure app service. I have adjusted slightly the docker-compose file and I'm using external postgresql server.
Here is a docker-compose I'm deploying.

FusionAuth does use open source components, including mybatis and prime mvc.

The licenses for all components are available as part of the zipfile. To see them, download the zip file.

When you unzip it, there’s a directory called 3rd-party-licenses. This will be present in every zipfile.

Here's the output from the 1.45.1 zip file:

/org/postgresql/postgresql/42.5.1/license-BSD-2-Clause.txt ./org/checkerframework/checker-qual/3.5.0/license-MIT.txt ./org/jboss/spec/javax/interceptor/jboss-interceptors-api_1.1_spec/1.0.0+Beta1/license-LGPL-2.1-only.txt ./org/mybatis/mybatis/3.5.7/license-Apache-2.0.txt ./org/mybatis/mybatis-guice/3.16.0/license-Apache-2.0.txt ./org/slf4j/jcl-over-slf4j/2.0.0-alpha5/license-MIT.txt ./org/slf4j/slf4j-api/2.0.3/license-MIT.txt ./org/testng/testng/7.7.1/license-Apache-2.0.txt ./org/ow2/asm/asm/9.2.0/license-BSD_3_Clause.txt ./org/ow2/asm/asm-util/7.3.1/license-BSD_3_Clause.txt ./org/ow2/asm/asm-tree/7.3.1/license-BSD_3_Clause.txt ./org/ow2/asm/asm-analysis/7.3.1/license-BSD_3_Clause.txt ./org/ow2/asm/asm-commons/7.3.1/license-BSD_3_Clause.txt ./org/freemarker/freemarker/2.3.30/license-Apache-2.0.txt ./org/osgi/org.osgi.core/4.3.0/license-Apache-2.0.txt ./org/lz4/lz4-java/1.7.1/license-Apache-2.0.txt ./org/graalvm/js/js/22.3.1/license-MIT.txt ./org/graalvm/js/js/22.3.1/license-UPL-1.0.txt ./org/graalvm/regex/regex/22.3.1/license-UPL-1.0.txt ./org/graalvm/truffle/truffle-api/22.3.1/license-UPL-1.0.txt ./org/graalvm/sdk/graal-sdk/22.3.1/license-UPL-1.0.txt ./org/glassfish/jaxb/txw2/3.0.2/license-Other.txt ./org/glassfish/jaxb/jaxb-core/3.0.2/license-Other.txt ./org/glassfish/jaxb/jaxb-runtime/3.0.2/license-Other.txt ./org/savantbuild/savant-version/2.0.0-RC.4/license-Apache-2.0.txt ./org/openjdk/nashorn/nashorn-core/15.3.0/license-GPL-2.0-only.txt ./org/xerial/snappy/snappy-java/1.1.8+1/license-Apache-2.0.txt ./org/jsoup/jsoup/1.15.3/license-Other.txt ./org/inversoft/prime/prime.js/1.6.4/license-Apache-2.0.txt ./org/primeframework/prime-email/0.20.0/license-Apache-2.0.txt ./org/primeframework/prime-mvc/4.7.1/license-Apache-2.0.txt ./org/aopalliance/aopalliance/1.0.0/license-NIST-PD.txt ./org/elasticsearch/client/elasticsearch-rest-client/7.17.7/license-Apache-2.0.txt ./org/elasticsearch/client/elasticsearch-rest-client-sniffer/7.17.7/license-Apache-2.0.txt ./org/apache/httpcomponents/httpcore/4.4.15/license-Apache-2.0.txt ./org/apache/httpcomponents/httpclient/4.5.13/license-Apache-2.0.txt ./org/apache/httpcomponents/httpcore-nio/4.4.15/license-Apache-2.0.txt ./org/apache/httpcomponents/httpasyncclient/4.1.5/license-Apache-2.0.txt ./org/apache/commons/commons-codec/1.15.0/license-Apache-2.0.txt ./org/apache/commons/commons-logging/1.2.0/license-Apache-2.0.txt ./org/apache/commons/commons-csv/1.8.0/license-Apache-2.0.txt ./org/apache/directory/apacheds-embedded/1.0.0/license-Apache-2.0.txt ./org/apache/kafka/kafka-clients/2.8.2/license-Apache-2.0.txt ./org/webjars/jquery/3.6.1/license-Other.txt ./ch/qos/logback/logback-classic/1.4.4/license-LGPL-2.1.txt ./ch/qos/logback/logback-classic/1.4.4/license-EPL-1.0.txt ./ch/qos/logback/logback-core/1.4.4/license-LGPL-2.1.txt ./ch/qos/logback/logback-core/1.4.4/license-EPL-1.0.txt ./io/ipinfo/db/0.0.1/license-Commercial.txt ./io/prometheus/simpleclient/0.10.0/license-Apache-2.0.txt ./io/prometheus/simpleclient_dropwizard/0.10.0/license-Apache-2.0.txt ./io/prometheus/simpleclient_common/0.10.0/license-Apache-2.0.txt ./io/dropwizard/metrics/metrics-healthchecks/3.2.6/license-Apache-2.0.txt ./io/dropwizard/metrics/metrics-jvm/3.1.2/license-Apache-2.0.txt ./io/dropwizard/metrics/metrics-core/3.2.6/license-Apache-2.0.txt ./io/fusionauth/fusionauth-style/0.3.55/license-Apache-2.0.txt ./io/fusionauth/fusionauth-jwt/5.1.2/license-Apache-2.0.txt ./io/fusionauth/java-http/0.1.13/license-Apache-2.0.txt ./io/fusionauth/fusionauth-scim/2.2.0/license-Apache-2.0.txt ./io/fusionauth/fusionauth-2fa/2.1.0/license-Apache-2.0.txt ./io/fusionauth/fusionauth-plugin-api/1.45.1/license-Apache-2.0.txt ./io/fusionauth/fusionauth-samlv2/0.8.6/license-Apache-2.0.txt ./jakarta/transaction/jakarta.transaction-api/1.3.2/license-Apache-2.0.txt ./jakarta/inject/jakarta.inject-api/1.0.5/license-Apache-2.0.txt ./jakarta/mail/jakarta.mail-api/2.0.1/license-Other.txt ./jakarta/annotation/jakarta.annotation-api/1.3.5/license-Apache-2.0.txt ./jakarta/xml/bind/jakarta.xml.bind-api/3.0.1/license-Other.txt ./jakarta/ejb/jakarta.ejb-api/3.2.6/license-Apache-2.0.txt ./javax/enterprise/cdi-api/1.0.0-SP4/license-Apache-2.0.txt ./javax/inject/javax.inject/1.0.0/license-Apache-2.0.txt ./javax/annotation/jsr250-api/1.0.0/license-Apache-2.0.txt ./com/sun/mail/jakarta.mail/2.0.1/license-Other.txt ./com/sun/activation/jakarta.activation/2.0.1/license-Other.txt ./com/sun/istack/istack-commons-runtime/4.0.1/license-Other.txt ./com/google/guava/guava/30.1.0-jre/license-Apache-2.0.txt ./com/google/guava/failureaccess/1.0.1/license-Apache-2.0.txt ./com/google/guava/listenablefuture/9999.0.0-empty-to-avoid-conflict-with-guava/license-Apache-2.0.txt ./com/google/inject/guice/5.1.0/license-Apache-2.0.txt ./com/google/code/findbugs/jsr305/3.0.2/license-Apache-2.0.txt ./com/google/j2objc/j2objc-annotations/1.3.0/license-Apache-2.0.txt ./com/google/protobuf/protobuf-java/3.11.4/license-BSD_3_Clause.txt ./com/maxmind/db/maxmind-db/2.0.0/license-Apache-2.0.txt ./com/ibm/icu/icu4j/71.1.0/license-ICU.txt ./com/github/spotbugs/spotbugs-annotations/4.4.2/license-LGPL-2.1-only.txt ./com/github/luben/zstd-jni/1.4.9-1/license-BSD-2-Clause.txt ./com/github/java-json-tools/msg-simple/1.2.0/license-Apache-2.0.txt ./com/github/java-json-tools/jackson-coreutils/2.0.0/license-Apache-2.0.txt ./com/github/java-json-tools/btf/1.3.0/license-Apache-2.0.txt ./com/github/java-json-tools/json-patch/1.13.0/license-Apache-2.0.txt ./com/beust/jcommander/1.82.0/license-Apache-2.0.txt ./com/inversoft/jackson5/3.0.1/license-Apache-2.0.txt ./com/inversoft/inversoft-domain/0.4.0/license-Commercial.txt ./com/inversoft/inversoft-api-authentication/0.25.0/license-Commercial.txt ./com/inversoft/inversoft-executor/0.2.1/license-Commercial.txt ./com/inversoft/inversoft-support/0.13.1/license-Commercial.txt ./com/inversoft/inversoft-maintenance-mode/0.20.3/license-Commercial.txt ./com/inversoft/java-error/2.2.3/license-Apache-2.0.txt ./com/inversoft/inversoft-freemarker/0.2.1/license-Commercial.txt ./com/inversoft/inversoft-scripts/0.1.10/license-Commercial.txt ./com/inversoft/inversoft-scheduler/0.2.4/license-Commercial.txt ./com/inversoft/inversoft-cache/0.5.2/license-Commercial.txt ./com/inversoft/inversoft-tools/0.30.5/license-Commercial.txt ./com/inversoft/inversoft-search-engine/5.1.1/license-Commercial.txt ./com/inversoft/inversoft-validator/0.4.11/license-Commercial.txt ./com/inversoft/inversoft-metrics/0.2.3/license-Commercial.txt ./com/inversoft/restify/4.2.0/license-Apache-2.0.txt ./com/inversoft/inversoft-migrator/0.2.1/license-Commercial.txt ./com/inversoft/inversoft-config/0.9.6/license-Commercial.txt ./com/inversoft/inversoft-database/0.9.1/license-Commercial.txt ./com/inversoft/inversoft-license/4.2.0/license-Commercial.txt ./com/zaxxer/HikariCP/5.0.1/license-Apache-2.0.txt ./com/googlecode/libphonenumber/libphonenumber/8.5.1/license-Apache-2.0.txt ./com/fasterxml/jackson/core/jackson-databind/2.14.0/license-Apache-2.0.txt ./com/fasterxml/jackson/core/jackson-core/2.14.0/license-Apache-2.0.txt ./com/fasterxml/jackson/core/jackson-annotations/2.14.0/license-Apache-2.0.txt ./com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.14.0/license-Apache-2.0.txt

As always, please review the FusionAuth license and the license FAQ for more details about commercial use of FusionAuth.

@simo-adonis , another team member took a look at this forum post and tested against an instance in our cloud. He saw case-insensitive matching of username and password.

Can you please provide more details about the behavior you are seeing?

version of FusionAuth backing database (mysql or postgresql) how you are adding users an example of a username or email address that doesn't work in a case insensitive manner

Thanks so much!

@le-nnyburkdoll

This guide might be helpful to you: https://fusionauth.io/docs/v1/tech/guides/user-search-with-elasticsearch

Thanks,
Dan

@bryan

Thanks for using FusionAuth!

I think this GitHub issue might be related to what you see: https://github.com/FusionAuth/fusionauth-issues/issues/2233

Please take a look and let us know.

Dan

@ismail

Thanks for using FusionAuth!

I don't have any experience with SvelteKit, but this new NextJS quickstart might be of interest to you:

https://fusionauth.io/blog/2023/04/26/nextjs-single-sign-on

Dan

@twilkinson

Thanks for using FusionAuth!

Did you get this sorted out?

Dan

@mattcrox

Thanks for using FusionAuth!

1.32.1 is pretty old version (released in Dec 2021). Do you run into the same issue with more recent versions?

@rafal-glebocki
I'm working through the same issue. I've setup an Application Gateway but it doesn't appear to be working. Would you share your configuration?