FusionAuth does not use either ADAL or MSAL directly. What FusionAuth does allow for is integration using OIDC, SAML, or custom logic with a connector. Essentially, FusionAuth can act as the Service Provider deferring authentication decisions to an external source via these protocols.

It appears that MSAL integrates with the OIDC specification, based on a quick read of their documentation, so you may want to consider using an OIDC Identity provider here.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Another option is to use connectors. With connectors, you can write your own custom integration logic to validate auth against an external source (be it MSAL, ADAL, or something else). Our documentation here covers examples and some of the differences from an Identity Provider.

https://fusionauth.io/docs/v1/tech/apis/connectors/

@alan-wood Hmmm.

First, thanks for filing the issue. I appreciate it.

but there is no call when the one-time JWT refresh token is "re-used".

Second, I'm pretty sure the webhook idea will work. Here's my thoughts:

User 123 logs in, gets refresh token A Use refresh token to get a new (access token, refresh token) pair System catches jwt refresh event and records token A for this user (so the userId 123, token A pair). It generates token B. Use refresh token A again to attempt to get a new pair, this fails [so far so good] The webhook should fire again and records that token A was used again (by looking up the refresh token value in the pair). Uh-oh! Fire off an event to revoke all refresh tokens for the user 123: https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens Using refresh token B will fail, because all refresh tokens are revoked.

Have you tried this approach? What am I missing?

@sujata-kattimani No limits.

Here's a list of FusionAuth limits: https://fusionauth.io/docs/v1/tech/reference/limitations

From the "What's not limited" section:

All other objects and configuration, including but not limited to the following, are limited only by the resources of your system: Users Applications Tenants Roles Groups Identity Providers such as SAML or OIDC connections API keys to allow for programmatic configuration of and interaction with FusionAuth Supported languages/locales Signing and verifying keys MFA methods per user

You are, of course, limited by your resources. If you try to load 100M users into a FusionAuth instance running in 256M of RAM, there's no guarantees the server won't fall over.

Also, if you are using the Starter license, you have a limit on MAUs. But for all other editions, no limits on users.

@dan I have filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1627

BTW I have successfully implemented Facebook social login using Complete Facebook Login api which is actually the same endpoint/api as of Complete google login but with a different identity provider value. It's quite a weird behavior that that api is working with facebook but not with google. 😞

Could you guys please take a look over it? Or I am missing something in case of google login if it needs some configuration.

The doc should be updated now, @sh

Sorry about that!

Fixed the problem on my own, for everyone running into this problem too. Check your redirect uri in config.js and your fusionauth dashboard.

In my case I got redirected to:

http://login.ruffyg.de/oauth-callback?...........

but of course it has to redirect to my express server which is on port 9000 so:

http://login.ruffyg.de:9000/oauth-callback?...........

@dan Sorry I didn't get a notification that you'd replied, so my apologies that I didn't see that sooner. I'll try moving to the latest version to see if that helps before reporting back.

When I changed the user's password manually in FA (change on next login was still enabled), it then allowed the password to be changed properly via the API without any Trust Token.

@agbichpuriya

The private RSA key should not be present in your JWT. The public key should not be present either, but a kid should be present in the header identifying the public/private keypair that was used to sign the JWT.

Please share a sample JWT with this issue.

@sswami Thanks!

Please file a feature request here: https://github.com/fusionauth/fusionauth-issues/issues outlining your use case. We love community feature requests and weigh community support (in terms of upvotes) when considering future work.

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

@owen-melbourne If you are using FusionAuth Cloud and see this, please open a support ticket.

@johnanisere

I'm not quite sure what you are asking for. Are you using FusionAuth hosted login pages? If so, the 'sign in/sign up with google' button should be present for any FusionAuth application you've configured it for.

If you are not, you are responsible for starting off the sign in/sign up process on your own and then calling the 'complete login' API as documented here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login

Which approach are you taking?

@dan yes seems it is still not working ... Thank you

No. Our cloud is a fully managed system, so you shouldn't care about the underlying technology.

It isn't built with Kubernetes so when we launch a deployment in it, it's constructed using a different approach.

If you want to run FusionAuth with kubernetes, that is supported, but you must self-host. More details here: https://fusionauth.io/docs/v1/tech/installation-guide/kubernetes/