Thanks Alex. I went back and looked and it doesn't seem I can even turn that option on. Its set to First Party and when I try to set it to Third Party I get this:

7c9c6e5d-95d3-4c0b-9055-dfd713a5236a-image.png

So that doesn't really answer the question as to why fusion auth is redirecting to the "consent" endpoint. This process is kicked off via the normal "authorize" endpoint so I don't think email templates are in play either.

@aman-c FusionAuth is completely running outside of Next.js. So it all depends on what you are using to make the call to FusionAuth.

My suggestion would be to implement a version of our React SDK
https://fusionauth.io/docs/sdks/react-sdk

Then anything clientside that needs details you can use the built in hooks, anything serverside you can use the cookie that sits at app.at or for identity app.idt.

If you have been using our quickstart you are most likely using next-auth which could be causing issues with the implementation. We have had a lot of internal discussion about removing this methodology moving forward to simplify our Next.js suggested implementation.

You can find out more about our cookies that are set in our Hosted Backend details.
https://fusionauth.io/docs/apis/hosted-backend

@gubbasainithin123 Can you tell us a little more about what you are trying to do and add a few more details on how you are getting this error message? How is you application configured? Maybe some of the code if possible. Make sure to remove any secrets or private info.

Have you checked out Lambdas? Sounds like you may be able to do what you need with that.

FusionAuth Cloud instances may or may not have static egress IP addresses; please open a support ticket with your instance name to learn more.

VPC peering is not currently supported, though that issue is the right one to follow for future developments.

You can also use an LDAP proxy to solve this issue.

FusionAuth -> LDAP proxy -> AD

where the LDAP proxy is in the DMZ and AD is configured to only talk to internal network values or the LDAP proxy.

Here's a StackOverflow post with more details.

@dan Has there been any updates on this? I have my fusionauth application in cluster behind a proxy (nginx ingress controller) and I passing those same headers but I am getting a CSRF error. Please any help is more than welcome.

The best way to see this is to visit the theme history github repo.

It is mentioned in the theme upgrade documentation.

Currently this is not editable in the Admin UI. This value can be set by calling the Tenant API, however.

Docs here: https://fusionauth.io/docs/apis/tenants#update-a-tenant

I was able to do this by:

copying the advanced theme editing it navigating to the Helpers file inside that, going to the head freemarker macro

I removed these lines:

<link rel="stylesheet" href="/css/font-awesome-4.7.0.min.css"/> <link rel="stylesheet" href="/css/fusionauth-style.css?version=${version}"/> [#-- Theme Stylesheet, only Authorize defines this boolean. Using the ?no_esc on the stylesheet to allow selectors that contain a > symbols. Once insde of a style tag we are safe and the stylesheet is validated not to contain an end style tag --] [#if !(bypassTheme!false)] <style> ${theme.stylesheet()?no_esc} </style> [/#if]

If you want to use the CSS field in the theme to store your CSs, leave in

[#if !(bypassTheme!false)] <style> ${theme.stylesheet()?no_esc} </style> [/#if]

which pulls in the CSS associated with the theme. Doing so allows you to add all your custom CSS to the CSS field in the theme and have it automatically included. If you don't do this, make sure you add your CSS to this macro (either directly or via a link). You'll want to make sure you keep it in as you upgrade.

Removing all the CSS will result in a page that looks like the one below.

unstyled login page

We also noticed that even with silent renewal, MFA code is getting triggered. This is very annoying for our users who stay on the page for long time.

Is there a way prevent MFA for SPA on every token refresh?

You can also use our GitHub action to easily add FusionAuth to a GitHub workflow.

Here's the action: https://github.com/FusionAuth/fusionauth-github-action

Here's doc about how to use it: https://fusionauth.io/docs/get-started/run-in-the-cloud/github-actions

@Alex-Patterson
Indeed, you are right, it is because of the scope configuration, whose default values have changed. The advice in the release notes regarding this in version 1.50 also sounds appropriate in retrospect.

What surprises me is that these settings are relevant when I perform the oldschool login via POST /api/login, I wasn't aware of that...

Thanks for the tip!❤ I would probably have been looking for the difference for a while...

@aswetnatex

docker pull fusionauth/fusionauth-app:latest

If you see an error message like https://YOURFUSIONAUTHSERVER/en?error=invalid_request&error_reason=missing_code_challenge&[…]The+request+is+missing+a+required+parameter%3A+code_challenge

it is because you have required PKCE for your application, but have not provided those parameters when attempting a login/registration. The links that we autogenerate in the app will not have a code_challenge by design, because those are dynamic for each request.

You can learn more about PKCE and turning it off on the applications core concepts page.

@david said in Why doesn't the example flutter demo code from github work on Android?:

Hi all,

I've been following the tutorial for using FusionAuth in a flutter app here: https://fusionauth.io/blog/2020/11/23/securing-flutter-oauth

Using this code works perfectly in iOS, but doesn't work on my Android device (Google Pixel 6, Firefox browser).

So I tried downloading the sample project from https://github.com/FusionAuth/fusionauth-example-flutter-dart/, and substituting my own values for the FusionAuth domain, etc. Again, this works perfectly in iOS, but on Android I never get redirected back to the app.

There is some information here https://fusionauth.io/community/forum/topic/602/error-fusionauth-s-login-page-redirecting-issue-on-android/5 about creating an interstitial web page to complete the redirect to the app for Android devices. Is this really required? Or is there some step I'm missing here that will make this work for an Android app directly without needing to set up a special web page?

Thanks,

David

Hi David,

It sounds like you're dealing with a tricky issue with OAuth redirects on Android. Here are a few things you might consider:

Custom URL Scheme and Deep Links: Make sure your Flutter app is properly configured to handle custom URL schemes and deep links on Android. This setup is crucial for redirecting back to the app after authentication. Check your AndroidManifest.xml file to ensure it has the correct intent filters for handling your OAuth callback URL.

Browser Configuration: Sometimes, browser settings or extensions can interfere with OAuth redirects. Try testing with different browsers or clearing the browser cache and cookies on your Google Pixel 6.

Redirect URI Handling: Verify that the redirect URI configured in FusionAuth matches exactly with the one used in your app. Any mismatch can cause issues with the redirect process.

Interstitial Web Page: The information you found about creating an interstitial web page is a workaround that some developers use to handle OAuth redirects on Android. This page can help bridge the gap between the authentication provider and the app. However, it should not be necessary if the redirect is properly configured.

Logs and Debugging: Enable logging and check the logs for any errors or issues related to the OAuth flow. This can provide valuable insights into where the process might be failing.

If you’re still having trouble, you might want to consult the FusionAuth documentation or their community forum for additional support.

Good luck, and I hope you get this resolved soon!