@quent Can you tell us more about your integration?

The way that the logout from all applications works is it creates multiple iframes with the source of each iframe as the logout URL.

Is the logout URL of the second being called at all (if you look at the request log)?

What browser are you using?

What version of FusionAuth are you using?

Are you testing in a remote environment or on localhost?

It is working now, had some issue on my side 🙂

I have absolutely the same problem.
Installation on Windows 10.

Hi @chrissmueller328,

You will want to review our linking strategies. When this occurs, oftentimes, this is due to custom mapping needed (you can see this in our discord doc).

https://fusionauth.io/docs/v1/tech/identity-providers/#linking-strategy-examples

The event log is another great place to look to see how your user is or is not being linked/created.

You can also look at our doc for discord as an IDP

https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/discord

Hope this helps!
Josh

No, you cannot.

However, it is worth diving a bit more into the use of the word "application", which is overloaded.

There is:

your application, represented by a webapp or code or a third party app your application configuration, stored in FusionAuth

Application configurations cannot span tenants. They are scoped to the tenant. However, if you need to have the same config (redirect urls, client ids, etc), you could script it.

FusionAuth does not use either ADAL or MSAL directly. What FusionAuth does allow for is integration using OIDC, SAML, or custom logic with a connector. Essentially, FusionAuth can act as the Service Provider deferring authentication decisions to an external source via these protocols.

It appears that MSAL integrates with the OIDC specification, based on a quick read of their documentation, so you may want to consider using an OIDC Identity provider here.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Another option is to use connectors. With connectors, you can write your own custom integration logic to validate auth against an external source (be it MSAL, ADAL, or something else). Our documentation here covers examples and some of the differences from an Identity Provider.

https://fusionauth.io/docs/v1/tech/apis/connectors/

@alan-wood Hmmm.

First, thanks for filing the issue. I appreciate it.

but there is no call when the one-time JWT refresh token is "re-used".

Second, I'm pretty sure the webhook idea will work. Here's my thoughts:

User 123 logs in, gets refresh token A Use refresh token to get a new (access token, refresh token) pair System catches jwt refresh event and records token A for this user (so the userId 123, token A pair). It generates token B. Use refresh token A again to attempt to get a new pair, this fails [so far so good] The webhook should fire again and records that token A was used again (by looking up the refresh token value in the pair). Uh-oh! Fire off an event to revoke all refresh tokens for the user 123: https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens Using refresh token B will fail, because all refresh tokens are revoked.

Have you tried this approach? What am I missing?