This is a common issue, as there are a couple of prerequisite settings that you need to configure in order to get refresh tokens. When you are trying to get a refresh token and not seeing it, you should double check the following items:

you are passing a value of offline_access whenever a scope parameter is present. you have configured the application to generate refresh tokens if you are using OAuth, in the UI, it is in the OAuth tab; the field is Generate Refresh Tokens if you are using the Login API, it is in the Security tab under Login API Settings; the field is Generate Refresh Tokens. you are passing the client_id to the refresh grant request. This is required unless you are passing the Authorization header (which has the client_id in it). the user is registered to the application for which you are issuing a refresh token.

Yes.

To ensure compatibility, I would recommend keeping your client library in sync with the version of FusionAuth.

For example, if you have 1.21.0 installed, that would mean ensuring you use the 1.21.0 version of the Python client.

It sounds like you're asking if you can modify the issuer claim.

You can control the "Issuer", or iss claim, in two different ways:

You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be login.example.com. You can set it at the individual JWT level by modifying the JWT populate lambda. You would do this if you wanted to have a different issuer based on some information from the user or registration data. (This does not appear to be the case here, just including this for completeness.)

I'm not clear if you have more than one tenant in your system; if you do, you can either change the "Issuer" setting for the default tenant (which is what is provided when no tenantId is on the URL) or request the endpoint with a tenantId appended, like this:

https://login.example.com/.well-known/openid-configuration?tenantId=<tenantid>

Yup, you can check out our test script repo here: https://github.com/FusionAuth/fusionauth-import-scripts

You need to have ruby installed, but there's a script under testing in that directory that can import a large number of users (1M is the default).

Loading 1M users to a basic FusionAuth cloud instance in Europe over a home network connection took about 40 minutes.

If using the API, you should receive a 203 on Login once you attempt login with the correct password. Your application should check the status code and send the user to the appropriate place to change their password.

If using the hosted login pages, you should end up on the /password/change page after logging in.

That should work ok. The only reason not to do it this way - is because you’re sort of emulating the OAuth frontend’s usage of this API which in theory is subject to change.

Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.

This seems like a bug. Please file it here: https://github.com/fusionauth/fusionauth-issues/issues

This partly depends upon if you host FusionAuth, or if you purchase FusionAuth Cloud. In most cases, updates will will be zero downtime, others may require an outage depending upon the type of db migration required.

You should always validate your JWT locally.

As outlined in this doc, you need to make sure, at a minimum, that the aud, roles, and iss claims are as expected, and that can only be done by looking at a JWT and examining those claims. If you use a library that supports JWKS, doing this should be super simple.

Note that the FusionAuth API endpoint validates JWTs at a basic level. It ensures that the JWT hasn't expired and that it was signed correctly.

The reasons to use the API endpoint are:

If you have an HMAC signed JWT and you don't want to share the secret with the JWT consumer If you have no JWT library that is available (whether because it hasn't been written, or you don't want to deploy it with your application) You are willing to accept a network call instead of loading up a such a library

Hiya @juan-sleiman . Sorry, that sounds frustrating. It's hard to know what is going on with the details you've provided. Did you figure it out? If not, please provide the following:

What you are trying to do, specific step by step of clicks you make, APIs you’ve called, configuration you have, things you’ve changed, etc. More information is better. For example, what you are seeing, specific panels in the UI, API status codes, errors, screenshots, etc. We want all of it. What you expected to see. Sometimes this is obvious, and sometimes it isn’t. Err on the side of over sharing. What you've tried already. Sometimes this can help us narrow down the issue more quickly. The version of FusionAuth you are using (this information is available on the admin screen in the lower left hand corner or in the startup logs). The number of FusionAuth nodes you are running in your deployment. Information about supporting infrastructure such as the database and elasticsearch, including the version and architecture (is the database local, cloud managed, etc). All FusionAuth log files you can provide. Please don't provide snippets because often the issue won't be in the snippet but somewhere else in the logs. Providing us with complete log files upfront helps us track down issues faster. And you'll avoid getting replies like "please send the complete log files". Of course, please remove any sensitive information from the log files.

Also, if you are running in production, we recommend buying support, as that has guaranteed response time. Pricing here.

I think you want to edit the email template directly.

Navigate to "Customizations -> "Email Templates" and find your template, and update that with the host.

Hiya,

This looks like a similar question: https://fusionauth.io/community/forum/topic/360/example-docs-for-fusionauth-integration-as-sso-front-end-to-nginx-proxied-apps

It looks like authelia is slightly different and has tighter integration with nginx, but no support for OIDC.

It looks like nginx works with OIDC, but only with NGINX plus (which I believe is the version that costs money?): https://github.com/nginxinc/nginx-openid-connect

If you want to integrate with OpenLDAP, you'd be looking buying a premium version of FusionAuth (Developer or above) because the community edition doesn't support LDAP integration. See the Connectors documentation for more.

We have an example plugin here for apache, I'm not super familiar with nginx, but maybe you could do something similar: https://github.com/FusionAuth/fusionauth-mod-authnz-external

Another alternative would be to see if the apps you have have OIDC/SAML integration and directly connect them with FusionAuth, though that doesn't provide the URL level endpoint protection you asked for (only application level).

@mgetka, as you previously said, the issue was mainly that I was not sending any state as a parameter.
Once that was done, I had another issue regarding unprotecting state, but it was eventually worked out. Thank you very much for the documentation which you sent me, it has been very useful!.

That's great to hear, glad you figured it out!

Hiya Steven,

Thanks for the details. I'm not aware of any example applications that have this workflow.

You could definitely do most of thisthis, but you'd be writing a lot of API glue code. You'd be creating identity providers and configuring managed domains to accomplish step 3.

The one thing that I know can't be done right now is creating an API key via the API. See https://github.com/FusionAuth/fusionauth-issues/issues/887 for more details about that.

Thanks for your feedback!

@richb201 You can't have more than one passwordless template per tenant.

There is a basic self service registration form you can use, but I'm not quite clear on what you are trying to do.

It sounds like you want two authentication forms.

for users, which requires them to provide their email and sends them a magic link to login for admins, which doesn't require any password at all

If that is the case, how does the system know who is an admin (is it a url they are coming from, an ip range, or something else)?

We just published a flutter tutorial that might be worth reading: https://fusionauth.io/blog/2020/11/23/securing-flutter-oauth/