@luis-b said in Login in to the same application from different domains:

While this does not seem unexpected, is undesirable for us at the moment. Is there a way to support independent login for our two domains without creating a new application?

A new application is probably the most straightforward solution here. What you are running into is that FusionAuth sees the user is already logged in in the second case (when you visit with the redirect_uri of test-web-app...) and so doesn't require you to authenticate again.

We often see people use different tenants or even instances for different environments (dev, test, prod) which resolves this issue.

@sujata-kattimani

re #1: If you are talking about functionality, the answer is no. The difference between self-hosted and cloud editions is the operational and availability burdens. In the former case, it is on you and your team, in the latter it is on FusionAuth's team.

re #2: yes, they are equivalent at similar editions. So if you have community edition, it is the same code in both the cloud and the self-hosted situations (for both validating the id token and anything else). Same is true for starter, essentials or enterprise.

Hope this helps.

@falk-jaeger
I figured out where to configure the 'Forgot Password Feature. You have to set a template to the 'Forgot Password' Field in the Email settings of the Tennant.

44545473-38b0-41a8-a6ab-e581c7bd04b2-image.png

SOLVED

The go client doesn't return the headers from the HTTP response when it calls the fusionauth APIs.
Workaround is to call the /api/login API yourself, extract the headers and set "Set-Cookie" headers yourself.

In subsequent attempts I became aware that there were CORS errors preventing the "Add Section" action from being submitted to the FA instance. I meant to post an update this morning but I have been neck deep in a bug hunt for two days.

We added a few permitted domains into CORS and the "Add Section" action functions as expected again.

Thank you for your response, feel free to remove this post

One recommendation is to use the User Search API to gather all users for a specific Application

For example,

curl --request POST \ --url https://local.fusionauth.io/api/user/search \ --header 'Authorization: <YOUR_API_KEY>' \ --header 'Content-Type: application/json' \ --data '{ "search": { "numberOfResults": 50, "query": "{\"bool\":{\"must\":[{\"nested\":{\"path\":\"registrations\",\"query\":{\"bool\":{\"must\":[{\"match\":{\"registrations.applicationId\":\"<YOUR_APPLICATION_UUID>\"}}]}}}}]}}", "startRow": 0 } }'

Returns all the users that belong to a applciation Id using the query parameter. More information can be found in our documentation below.

https://fusionauth.io/docs/v1/tech/apis/users/#elasticsearch-search-engine

Accessing the Admin UI > Users > Search Box > Advanced > Show ElasticSearch Query Can also reveal prebuilt queries that you can run against users via API (move the toggles to observe how the query will change over time).

@abhishek

You are correct, right now there is no way to get a group name in a JWT in a straightforward manner. This is an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/229 but this will most likely be resolved when https://github.com/FusionAuth/fusionauth-issues/issues/267 gets delivered (no firm timeline on that, sorry).

Options:

you could put the group name in the user.data field and put it into the JWT using a JWT populate lamba. If you are moving users in and out of groups regularly, this could be scripted, but may be a bit of a maintenance issue. assign users to a group in FusionAuth. Assign that group a role with the same name. Then you'll have access to the role in the populate JWT lambda. This seems the most straightforward to me. Note that a user only gets a role assigned to a group in FusionAuth if the user is registered for the application and is a member of a group with a role for that application.

Update: Turns out that the fusionauth/fusionauth-client libary does not seem to have support for specifying a tenantId field.

I rewrote my backend to use PHP's native cURL implementation and am back in business.

@johnmiller I do not believe that is supported. We only support text and HTML templates, not attachments.

You could include a link in your template to the file. Perhaps that will solve your problem.

If it doesn't, please add a feature request detailing your use case: https://github.com/fusionauth/fusionauth-issues/issues

@jan-meznik If there are other headers you need to set that are not supported, please file a github issue with the details: https://github.com/fusionauth/fusionauth-issues/issues

Hi @joshua,

Thank you for your reply! I will reach out to sales@fusionauth.io for additional assistance.

@nicholas-tsaoucis

Glad you figured this out!

Thanks,
Josh
FusionAuth

You should be able to return the two factor JSON as documented in the user response object. Have you tried doing that?

user.twoFactor.methods[x].authenticator.algorithm and others.

@minhngocnguyenduy Glad you found a solution!

@hanumant-sidraya

Do you mean you want to deactivate all users who were authenticating with a given connector? This is not a typical use case, so you'll need to write some code to do this.

If so, then I'd script the removal of the connector and at the same time mark all users associated with that connector as inactive (or you could hard delete them if you want).

The connectorId is not one of the searchable attributes for users, so the easiest way to do this would be to have your custom connector set an attribute on the user.data field, something like user.data.authDataSource = clientXYZ or similar.

Then you could query for all users with that user.data value and deactivate or delete them.

Hope that helps.

Thanks for sharing this! I'm glad you figured it out. I'll add a note to the sample application pointing to this forum post.

Hi both @aj-merts @wernervdwath

If I put this in my browser

http://savant.inversoft.org/com/mysql/mysql-connector-java/8.0.12/mysql-connector-java-8.0.12.jar

or

https://savant.inversoft.org/com/mysql/mysql-connector-java/8.0.12/mysql-connector-java-8.0.12.jar

I am able to download this jar.

Can you confirm this is still an active issue for you? If so, error logs or additional configuration info may be useful in debugging.

Thanks,
Josh

@patrick

Perfect 👌

@hanumant-sidraya,

I would have to test this, but I believe that FusionAuth defers to the source of record for MFA. So if the user is connecting through an LDAP connector, if LDAP says that the user should have an SMS factor, then this will be their MFA method.

You can find more about our connectors in our documentation below:

https://fusionauth.io/docs/v1/tech/connectors/

Hope this helps!

Thanks,
Josh

@ali-sch

It is specified on the Connectors page that all connectors are a paid edition feature, but it should be clear on the pricing page as well.

Sorry about that oversight! We'll update the pricing page.

If you are interested in kicking the tires to see if connectors will solve your problem, please either contact us to chat with a sales rep, who can set you up with a trial, or sign up for a two week trial of developer edition on that pricing page. You'll have to provide a credit card, but can cancel any time in the first two weeks at no charge.