I have absolutely the same problem.
Installation on Windows 10.

Hi @chrissmueller328,

You will want to review our linking strategies. When this occurs, oftentimes, this is due to custom mapping needed (you can see this in our discord doc).

https://fusionauth.io/docs/v1/tech/identity-providers/#linking-strategy-examples

The event log is another great place to look to see how your user is or is not being linked/created.

You can also look at our doc for discord as an IDP

https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/discord

Hope this helps!
Josh

No, you cannot.

However, it is worth diving a bit more into the use of the word "application", which is overloaded.

There is:

your application, represented by a webapp or code or a third party app your application configuration, stored in FusionAuth

Application configurations cannot span tenants. They are scoped to the tenant. However, if you need to have the same config (redirect urls, client ids, etc), you could script it.

FusionAuth does not use either ADAL or MSAL directly. What FusionAuth does allow for is integration using OIDC, SAML, or custom logic with a connector. Essentially, FusionAuth can act as the Service Provider deferring authentication decisions to an external source via these protocols.

It appears that MSAL integrates with the OIDC specification, based on a quick read of their documentation, so you may want to consider using an OIDC Identity provider here.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Another option is to use connectors. With connectors, you can write your own custom integration logic to validate auth against an external source (be it MSAL, ADAL, or something else). Our documentation here covers examples and some of the differences from an Identity Provider.

https://fusionauth.io/docs/v1/tech/apis/connectors/

@alan-wood Hmmm.

First, thanks for filing the issue. I appreciate it.

but there is no call when the one-time JWT refresh token is "re-used".

Second, I'm pretty sure the webhook idea will work. Here's my thoughts:

User 123 logs in, gets refresh token A Use refresh token to get a new (access token, refresh token) pair System catches jwt refresh event and records token A for this user (so the userId 123, token A pair). It generates token B. Use refresh token A again to attempt to get a new pair, this fails [so far so good] The webhook should fire again and records that token A was used again (by looking up the refresh token value in the pair). Uh-oh! Fire off an event to revoke all refresh tokens for the user 123: https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens Using refresh token B will fail, because all refresh tokens are revoked.

Have you tried this approach? What am I missing?

@sujata-kattimani No limits.

Here's a list of FusionAuth limits: https://fusionauth.io/docs/v1/tech/reference/limitations

From the "What's not limited" section:

All other objects and configuration, including but not limited to the following, are limited only by the resources of your system: Users Applications Tenants Roles Groups Identity Providers such as SAML or OIDC connections API keys to allow for programmatic configuration of and interaction with FusionAuth Supported languages/locales Signing and verifying keys MFA methods per user

You are, of course, limited by your resources. If you try to load 100M users into a FusionAuth instance running in 256M of RAM, there's no guarantees the server won't fall over.

Also, if you are using the Starter license, you have a limit on MAUs. But for all other editions, no limits on users.

@dan I have filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1627

BTW I have successfully implemented Facebook social login using Complete Facebook Login api which is actually the same endpoint/api as of Complete google login but with a different identity provider value. It's quite a weird behavior that that api is working with facebook but not with google. 😞

Could you guys please take a look over it? Or I am missing something in case of google login if it needs some configuration.

The doc should be updated now, @sh

Sorry about that!

Fixed the problem on my own, for everyone running into this problem too. Check your redirect uri in config.js and your fusionauth dashboard.

In my case I got redirected to:

http://login.ruffyg.de/oauth-callback?...........

but of course it has to redirect to my express server which is on port 9000 so:

http://login.ruffyg.de:9000/oauth-callback?...........

@dan Sorry I didn't get a notification that you'd replied, so my apologies that I didn't see that sooner. I'll try moving to the latest version to see if that helps before reporting back.

When I changed the user's password manually in FA (change on next login was still enabled), it then allowed the password to be changed properly via the API without any Trust Token.

@agbichpuriya

The private RSA key should not be present in your JWT. The public key should not be present either, but a kid should be present in the header identifying the public/private keypair that was used to sign the JWT.

Please share a sample JWT with this issue.

@sswami Thanks!

Please file a feature request here: https://github.com/fusionauth/fusionauth-issues/issues outlining your use case. We love community feature requests and weigh community support (in terms of upvotes) when considering future work.

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap