@owen-melbourne If you are using FusionAuth Cloud and see this, please open a support ticket.

@johnanisere

I'm not quite sure what you are asking for. Are you using FusionAuth hosted login pages? If so, the 'sign in/sign up with google' button should be present for any FusionAuth application you've configured it for.

If you are not, you are responsible for starting off the sign in/sign up process on your own and then calling the 'complete login' API as documented here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login

Which approach are you taking?

@dan yes seems it is still not working ... Thank you

No. Our cloud is a fully managed system, so you shouldn't care about the underlying technology.

It isn't built with Kubernetes so when we launch a deployment in it, it's constructed using a different approach.

If you want to run FusionAuth with kubernetes, that is supported, but you must self-host. More details here: https://fusionauth.io/docs/v1/tech/installation-guide/kubernetes/

@pyroseza

So it sounds like you're trying to figure out a way to know when FusionAuth has completed startup.

The webhook is one way to do that. As you said, you can set up a kickstart event webhook within a kickstart file.

Another way is to poll for a known value, such as a non-default tenant that you know your setup has added. That may be a simpler solution for you.

Either way, you'll have to write some code to kick off the testing once you receive a signal that FusionAuth is ready.

I personally would have preferred if there was an API endpoint I could query is to whether or not the kickstart has completed successfully, but instead we were given a webhook and I'm not quite sure how I should be using it.

You'll need to write a webhook receiver that will kick off your tests (or whatever the next step of your testing setup is). I'm not quite sure how do that in one github action, but it should be pretty easy to split up a github action into two actions, a setup one (where you set everything up, including FusionAuth) and a test action (which you kick off in response to the FusionAuth webhook firing).

I think you'd want the workflow_call event: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_call

@dan

I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.

Thanks.

@gokul-mahajan20 I think you can find examples here: https://github.com/FusionAuth/fusionauth-jwt/#sign-and-encode-a-jwt-using-hmac

@lambert-torres I'd recommend using a webhook, probably this one: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create-complete and then in the webhook receiver, calling the API to add them to a group.

There is no built in support for this functionality.

@flaviofdiez

Thanks for sharing your thoughts.

If you want to mark a user inactive, you can do a soft delete on that user: https://fusionauth.io/docs/v1/tech/apis/users#delete-a-user

Then you can re-activate them: https://fusionauth.io/docs/v1/tech/apis/users#reactivate-a-user

I'm not sure what you mean by expired? That seems like a construct you are creating yourself?

If you want to apply a time based attribute to a user, you could use user actions: https://fusionauth.io/docs/v1/tech/apis/actioning-users which let you apply an action to a user, which can be for a limited period of time or forever (until you remove it). There's some support in the admin UI for applying user actions.

HTH.

@oliver

For the sake of data consistency I would like to keep it unverified in FusionAuth until we have verified user in our back-end and called the FusionAuth verification API.

Not possible right now. Please feel free to file an issue about this.

An alternative is to create your own verified flag in user.data and manage it manually.

@luis-b said in Login in to the same application from different domains:

While this does not seem unexpected, is undesirable for us at the moment. Is there a way to support independent login for our two domains without creating a new application?

A new application is probably the most straightforward solution here. What you are running into is that FusionAuth sees the user is already logged in in the second case (when you visit with the redirect_uri of test-web-app...) and so doesn't require you to authenticate again.

We often see people use different tenants or even instances for different environments (dev, test, prod) which resolves this issue.

@sujata-kattimani

re #1: If you are talking about functionality, the answer is no. The difference between self-hosted and cloud editions is the operational and availability burdens. In the former case, it is on you and your team, in the latter it is on FusionAuth's team.

re #2: yes, they are equivalent at similar editions. So if you have community edition, it is the same code in both the cloud and the self-hosted situations (for both validating the id token and anything else). Same is true for starter, essentials or enterprise.

Hope this helps.

@falk-jaeger
I figured out where to configure the 'Forgot Password Feature. You have to set a template to the 'Forgot Password' Field in the Email settings of the Tennant.

44545473-38b0-41a8-a6ab-e581c7bd04b2-image.png

SOLVED

The go client doesn't return the headers from the HTTP response when it calls the fusionauth APIs.
Workaround is to call the /api/login API yourself, extract the headers and set "Set-Cookie" headers yourself.

In subsequent attempts I became aware that there were CORS errors preventing the "Add Section" action from being submitted to the FA instance. I meant to post an update this morning but I have been neck deep in a bug hunt for two days.

We added a few permitted domains into CORS and the "Add Section" action functions as expected again.

Thank you for your response, feel free to remove this post

One recommendation is to use the User Search API to gather all users for a specific Application

For example,

curl --request POST \ --url https://local.fusionauth.io/api/user/search \ --header 'Authorization: <YOUR_API_KEY>' \ --header 'Content-Type: application/json' \ --data '{ "search": { "numberOfResults": 50, "query": "{\"bool\":{\"must\":[{\"nested\":{\"path\":\"registrations\",\"query\":{\"bool\":{\"must\":[{\"match\":{\"registrations.applicationId\":\"<YOUR_APPLICATION_UUID>\"}}]}}}}]}}", "startRow": 0 } }'

Returns all the users that belong to a applciation Id using the query parameter. More information can be found in our documentation below.

https://fusionauth.io/docs/v1/tech/apis/users/#elasticsearch-search-engine

Accessing the Admin UI > Users > Search Box > Advanced > Show ElasticSearch Query Can also reveal prebuilt queries that you can run against users via API (move the toggles to observe how the query will change over time).

@abhishek

You are correct, right now there is no way to get a group name in a JWT in a straightforward manner. This is an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/229 but this will most likely be resolved when https://github.com/FusionAuth/fusionauth-issues/issues/267 gets delivered (no firm timeline on that, sorry).

Options:

you could put the group name in the user.data field and put it into the JWT using a JWT populate lamba. If you are moving users in and out of groups regularly, this could be scripted, but may be a bit of a maintenance issue. assign users to a group in FusionAuth. Assign that group a role with the same name. Then you'll have access to the role in the populate JWT lambda. This seems the most straightforward to me. Note that a user only gets a role assigned to a group in FusionAuth if the user is registered for the application and is a member of a group with a role for that application.

Update: Turns out that the fusionauth/fusionauth-client libary does not seem to have support for specifying a tenantId field.

I rewrote my backend to use PHP's native cURL implementation and am back in business.

@johnmiller I do not believe that is supported. We only support text and HTML templates, not attachments.

You could include a link in your template to the file. Perhaps that will solve your problem.

If it doesn't, please add a feature request detailing your use case: https://github.com/fusionauth/fusionauth-issues/issues

@jan-meznik If there are other headers you need to set that are not supported, please file a github issue with the details: https://github.com/fusionauth/fusionauth-issues/issues