@kushalborda1997 Hiya,

We recently updated the documentation to make it more clear you shouldn't use the /api/jwt/reconcile endpoint for any identity providers except the external JWT provider. We'll change the application to make the error message clearer; here's the tracking issue: https://github.com/FusionAuth/fusionauth-issues/issues/2074

You should use the OIDC provider and the complete login endpoint. Here's documentation that should help: https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect#complete-an-openid-connect-login

Hope that helps!

@didier I'm not sure I understand.

You are saying you want to send the registration email yourself, not automatically with FusionAuth?

(There are two possible verification emails. One is for a user creation, which verifies their email whenever someone creates a user, for any application. Another is for registration verification, which again checks their email but only when someone registers for a certain application.)

If that is the case, use the skipVerification and skipRegistrationVerification settings if using the API. There are analogous settings in the admin UI as well.

More documentation here: https://fusionauth.io/docs/v1/tech/apis/registrations#create-a-user-and-registration-combined

and here: https://fusionauth.io/docs/v1/tech/core-concepts/applications#registration

and here: https://fusionauth.io/docs/v1/tech/core-concepts/tenants#email

@dan

User logs in through authorization code grant flow

Here goes the refresh token settings for the application:

e34e22da-b37b-41e6-8816-88b43a8cbddd-image.png

FusionAuth version being used is 1.36.6

Thanks,
Vindhya

@alison-rafaelc Hi Alison,

It depends on how you architect the FusionAuth system, but in our FusionAuth cloud system, we see downtime of seconds to minutes for system upgrades (depending on the number of users and the data being migrated). We get this by swapping out one node at a time, running in an 3+ node cluster. Some details here: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#upgrade-duration

Worth noting that you control when you do the upgrade, unlike a typical multi-tenant saas.

We have a number of customers and community members with thousands of tenants and millions of users so the numbers you mention seem fine. I'm glad you were able to stand up a FusionAuth cluster and load test it.

Zero downtime upgrades are something we've discussed internally and have a strategy for, it just hasn't made it onto the roadmap yet.

If you'd like to have a discussion with a technical sales team about FusionAuth and SLAs, I'm happy to have someone reach out to you.

@imapotato Heya,

FusionAuth isn't really an AD/LDAP replacement. It doesn't support older protocols like RADIUS, Kerberos or even LDAP fully.

When we are talking about machine to machine communication, we are referring to the client credentials OAuth grant. You can read more about that in the links below:

https://fusionauth.io/docs/v1/tech/oauth/#example-client-credentials-grant

https://fusionauth.io/docs/v1/tech/core-concepts/entity-management

@quent I understand your position, and we appreciate the feedback.

Can you please create a github issue linking to this forum post and with as much detail as you can provide (including, perhaps, sample logout urls provided by IdPs you are interested in)?

https://github.com/fusionauth/fusionauth-issues/issues

@tsukhwani Not that I know of. I don't think you can verify a user's registration via API.

You should be able to use the Update User API to update verify the user's email, though.

From my reading of the docs, if you set skipVerification to true, it sets verified to true, and you can set the password at the same time.

@fred-fred If no application id is provided when using the Login API, then there is no application in the reporting, since FusionAuth doesn't know the application. I'm not sure if you are using the Login API, but people can authenticate without an application id.

Here's more documentation about this issue: https://fusionauth.io/docs/v1/tech/core-concepts/authentication-authorization

@trevorr said in Duplicate port number in Google IdP redirect:

It appears I was running an old version locally (1.30.2). This issue has been fixed as of at least 1.41.2.

@mehdi-motrada Have you worked through this tutorial: https://fusionauth.io/blog/2023/01/03/spring-and-fusionauth ?

It looks like setting the email address in a lambda works for Facebook now (as of at least 1.41.2):

if (!facebookUser.email) { user.email = facebookUser.id + '@no-email.facebook.com'; } 1/10/2023 10:10:33 PM Z Linking strategy [LinkByEmail] 1/10/2023 10:10:33 PM Z Resolved email to [] 1/10/2023 10:10:33 PM Z Resolved username to [null] 1/10/2023 10:10:33 PM Z Resolved unique Id to [115587478085870] 1/10/2023 10:10:33 PM Z Identity provider returned a unique Id [115587478085870]. 1/10/2023 10:10:33 PM Z A link has not yet been established for this external user. 1/10/2023 10:10:33 PM Z The user with the email address [] does not exist. 1/10/2023 10:10:33 PM Z Invoke configured lambda with Id [787cd34e-1618-4cd9-8156-936734cfe368] 1/10/2023 10:10:33 PM Z The lambda set or modified the initially resolved email. Email is now [115587478085870@no-email.facebook.com] 1/10/2023 10:10:33 PM Z Creating user: 1/10/2023 10:10:33 PM Z User is not registered for application with Id [e0da3f10-7efa-4a6b-95f8-fbf4894884b5] 1/10/2023 10:10:33 PM Z User has successfully been reconciled and logged into FusionAuth. 1/10/2023 10:10:33 PM Z Authentication type: FACEBOOK 1/10/2023 10:10:33 PM Z Authentication state: Authenticated

In the UI you can select "Special character" to require at least one special character. If anyone is looking to understand which characters will satisfy this requirement read on.

If you view the tooltip or the API - you’ll see the configuration is actually for non-alpha-numeric.

https://fusionauth.io/docs/v1/tech/apis/tenants#create-a-tenant

tenant.passwordValidationRules.requireNonAlpha
Whether to force the user to use at least one non-alphanumeric character.

So instead of limiting this to a specific set of special characters, we allow it to be any character that is not a unicode alphabetic and not a digit. In this way, we do not artificially limit the entropy of the password by saying you must use one or more characters for a finite set of "special characters" as you may be used to seeing on some login forms.

this section for localhost

server {

listen 80;

server_name YOURSITENAME.COM;

location / { proxy_pass http://127.0.0.1:9011; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }

}
#######################################################################

this section for https (ssl)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name YOURSITENAME.COM;

location / { proxy_pass http://127.0.0.1:9011; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }

}

@chris-christensen

Update

I got the login working, in the application, I changed Client Authentication to Not required when using PKCE and I changed PKCE to Required. I also made sure all of my authorized urls were set to https://

I'm still getting the X-Frame-Option DENY in my console. The login process takes a long time to resolve, like 10 seconds or so and I think it's tied to the x-frame-option issue. I'm guessing, but maybe this has to do with the FusionAuth server running on http:// but I'm not sure.

Auth-wise, the only issue I have now is when I try to log out.

http://localhost:9011/oauth2/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImd0eSI6WyJhdXRob3JpemF0aW9uX2NvZGUiXSwia2lkIjoiNjgzODU2OTEtODJiOC00OGI4LTlhNWEtNTdjYTRkMDE3ODg2In0.eyJhdWQiOiI2ODM4NTY5MS04MmI4LTQ4YjgtOWE1YS01N2NhNGQwMTc4ODYiLCJleHAiOjE2NzE3MjUyOTQsImlhdCI6MTY3MTcyMTY5NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiJkZmU2ODE3Yy1kMDM0LTRkNDEtOWUyYi1mM2JmYjMyMjM5ZWUiLCJqdGkiOiJlZjYzOGNjZi1jOTY5LTRkODYtOTMzMS1lMWU3MjkxN2NiYmEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQSU5HIiwiZW1haWwiOiJjaHJpcy5jaHJpc3RlbnNlbkBzaWx2ZXJmZXJuLmdyb3VwIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJTeEpKamFKdUZrMHpXNUF6amlVQll3IiwiY19oYXNoIjoiT1ByN2FqYXhibFVqcG4xUENPSmNoUSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiI4NmI1NTUzMS1jMmJmLTRiMTAtOWZiYy1lZGMxY2YwOTA5MzYiLCJhdXRoX3RpbWUiOjE2NzE3MjE2OTQsInRpZCI6IjczYmNiNTQyLTYxODktYjIxYS1lMTEzLTJhMGNmYjRjNGFkYyJ9.txThGC0wAm7eMDEQpaUAMUWSncqvCXuR9mjBnDEhT2Q&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7075%2Fauthentication%2Flogout-callback&state=aa54fe461a4044a4945d3b6a60c3e571

Responds with:

{ "error" : "invalid_request", "error_description" : "The post_logout_redirect_uri is invalid.", "error_reason" : "invalid_post_logout_redirect_uri" }

But the post logout redirect uri is a copy/paste of what I'm using in my Blazor config and it's https://

Any idea why this is having an issue with the logout?

We've added some documentation about no downtime upgrades in FusionAuth cloud: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#upgrade-duration

If you are self-hosting, we recommend running in a cluster and you should be able to have upgrade downtime similar to what FusionAuth cloud has.

@dan Thanks for the help, I was able to get it working.

If it helps anyone else, my problem was misunderstanding how to properly do custom login/linking. I was trying to get FusionAuth to acquire the authorization code from the third-party provider and then return it to my code, where I would call further api functions. Everything works fine now that I acquire the authorization code directly and pass it to the FusionAuth api calls.

@leandro-menagonzalez So it sounds like you seeing the consents be granted in the Google process, which should make it available in the reconcile lambda, but you are not seeing the value in the reconcile lambda?

https://fusionauth.io/docs/v1/tech/lambdas/google-reconcile

There are two options I'd explore:

Using the OIDC identity provider, which gives you more flexibility and possibly more information. In particular, you get both the access and id token: https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile

Using Lambda HTTP Connect (a paid feature) to make a call to the google APIs to request additional information from within your lambda. You can learn more about that here: https://fusionauth.io/docs/v1/tech/lambdas/#using-lambda-http-connect

Hope that helps.

@suryateja-a16-0 You should be able to add multiple applications to your access token using a JWT populate lambda: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate

You can examine the user and see all the applications to which they are registered and add those all to the aud claim.

Hope that helps.