This is possible today using a Google Reconcile Lambda. Our Lambdas allow arbitrary JavaScript to be executed during a login event. You can write logic to check the user's domain and assign them the appropriate role associated with the FusionAuth Application they're authenticating through.

Below is a code example demonstrating how you could implement such logic:

function reconcile(user, registration, idToken) { function extractDomain(email) { // Split the email address by '@' symbol var parts = email.split('@'); // Return the second part which represents the domain name return parts[1]; } // function to extract the email domain from the user object and stores in domain variable var domain = extractDomain(user.email); // Conditional statement checks domain for fusionauth.io and adds 'counsellor' role, if any other domain exist adds 'user' role if (domain === 'example.com') { registration.roles.push('teacher'); } else { registration.roles.push('user'); } //This is optional, but is good to have for debugging purposes. The results will be returned in the event logs. console.info(registration.roles); }

The best solution here would be to use entity management.

You can create an entity type of Session or similar.

Each time you have a user log in, you can create a Session and set the .data.session_identifier field to the value of the device fingerprint + business specific indicator, and store the access token as the value.

When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.

For expiration, you can use the access tokens exp claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the .data field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).

Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)

@dan said in logout questions:

've got a question about logout.
When logging in using the /oauth2/token route with the auth wordle code grant, it seems the /api/logout route does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.

Regarding user identification during logout, the OAuth 2.0 specification doesn't define a standard logout endpoint. Logout processes are often application-specific, and the mechanism to identify the user being logged out might depend on the authentication framework or technology being used.

@jawaid-karim Are you setting all the headers mentioned here? https://fusionauth.io/docs/operate/deploy/proxy-setup

If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.

@thomas-wojeck

Have you turned on the debug logs and looked in the event log? That's what I'd start doing to troubleshoot.

More here: https://fusionauth.io/docs/operate/troubleshooting/troubleshooting#enabling-debugging

@info-0 are you able to use our global one?

https://local.fusionauth.io/ will redirect to http://localhost:9011

If not a great option is to setup ngrok
https://fusionauth.io/docs/get-started/download-and-install/development/exposing-instance

ngrok http --request-header-add 'X-Forwarded-Port:443' 9011

@fusionauth-qhj5e I have brought this up internally, for now we are considering adding a PR to make it more clear for users.

https://github.com/FusionAuth/fusionauth-site/pull/2918

@ryan-hopper Thanks for sharing that info. Appreciate it!

@pradhanv88 it is documented here: https://fusionauth.io/docs/reference/configuration

But there is a bug with TLS in recent versions of FusionAuth: https://github.com/FusionAuth/fusionauth-issues/issues/2498

This is scheduled not for this release, but for the next one.

I was able to get this working with:

jdbc:postgresql://db:5432/mydb?currentSchema=auth

@renukamirihana Have you been through this page? https://fusionauth.io/docs/operate/deploy/proxy-setup

What message to you receive when the application goes to the unauthenticated path?

Are you attempting to enable users to log into your application using Google? Click Here for further details

@asenjowork Awesome, I'm glad you figured it out!

Hiya @youchuan990316 You should be able to do this using javascript. I'm not familiar with particular libraries or methods, but google has a number of options.

You can modify the Account two-factor enable theme page.

Hope this helps.

@harish_reddy Thanks for the feedback, we appreciate it. While I think it is unlikely we'd separate out those webhooks, you are welcome to add a GH issue with your feedback and we can see how others in the community feel about the topic.

@tiago Awesome!

Hiya @harish_reddy ,

That's a cool idea. We don't have any plans to do so right now.

@ronn316 Awesome, glad you got it the way you want it and thanks for sharing the update with the community!

@ccurtis Are you able to create the Administrator account?