@elliotdickison said in Awkward OAuth logout in mobile app:

@maciej-wisniowski We ended up going with your solution and it's working alright, thanks for that!

@robotdan One suggestion for you all: I found the naming of the "AllApplications" value for the application.oauthConfiguration.logoutBehavior setting a bit confusing. As far as I can tell all the "AllApplications" value it really means is "show the OAuth2 logout page". That page can be used to log out of all apps (that's the default template behavior), but it doesn't have to be used that way. Per the suggestion from @maciej-wisniowski we are using the page to log the user out of only one app and show a "successfully logged out" message. Maybe to avoid a breaking API change the value "OneApplication" could be added in addition to "AllApplications" and "RedirectOnly". That value could use the same OAuth 2 logout template but maybe set a variable that could be used to conditionally turn off the logout-of-all-apps behavior. Just a thought.

Thanks for the suggestion @elliotdickison - please do open a GH issue with this suggestion and how you'd like the logout to behave in your use case.

Nope, at this time it is all configured at the tenant, via the UI or API.

If you have specific needs, please file a github issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

@saleenajohn49 said in Clicked the regenerate key button on the reactor page:

A nuclear reactor produces and controls the release of energy from splitting the atoms of certain elements. In a nuclear power reactor, the energy released is used as heat to make steam to generate electricity. (In a research reactor the main purpose is to utilise the actual neutrons produced in the core. In most naval reactors, steam drives a turbine directly for propulsion.

Ha ha.. yep, that is pretty much how the FusionAuth Reactor works too. 😆

I think you missed to put FusionAuth Tenant ID.

In my case, I create a file called appConfig.json :

e89f0007-0a18-41d8-b184-5e820eafa09e-image.png

The file contains :

FusionAuth URL (where you deploy your FusionAuth app such as https://login.mywebsite.com) FusionAuth Tenant ID FusionAuth App ID FusionAuth Client Key

Afterwards, I create a new instance of FusionAuth like this (in another file):

d60fe095-14be-4a7e-85fb-44b49a68c462-image.png

I pass FusionAuth Tenant ID here as a parameter.

Hence, I can fire a login function like below :
a4eed8ff-1441-4f15-9a93-9123603c36c7-image.png

@aman

Glad, you got it working!

Remember that CORS is a powerful tool. It's best to keep it enabled, once you nail down your configuration.

Thanks,
Josh

The timeout is already really high (10 seconds). I can see in the logs of my webhook that I get a timeout in the api call to FusionAuth. It feels like a race condition.

Hi @jeff-lawry,

I might need some more context to better assist. Can you confirm:

What are you trying to accomplish? How/Who are you integrating with? What errors are you seeing (if any)? "SP that has required setting for IdP Cert" -> can you elaborate a bit on this and offer more context? Are you looking to set up FusionAuth as a SAML SP or a SAML IdP? Based on your question, it sounds like the latter, but want to confirm. "Also SP is looking for PrototypeName sent by FusionAuth" can you provide a bit more context here. I am not familiar with this property. Which configuration screens are you interacting with (if any) within FusionAuth Admin UI that you have questions about? Have you consulted any documentation from FusionAuth? If so, which pages? (so that I can better assist...).

Please let us know some additional details and we will do our best to assist.

Thanks,
Josh

@pmolaro

I think I understand now.

If you imported a few users, they should be given the option via UI to have the verification email sent to them again (if you are using the OAuth flows/hosted pages)

If you are not using the OAuth flows in Fusionauth (this seems to be true, based on what you said), then I think that you would need to offer the user the ability to now verify through this API
https://fusionauth.io/docs/v1/tech/apis/users/#resend-verification-email, which will return a verificationId

Also, there is a tutorial for email verification (the gating part is a paid feature) and we are developing one (very similar) for application registrations as well (the gating part is a paid feature).
https://fusionauth.io/docs/v1/tech/tutorials/gate-accounts-until-verified/

Let me know if that more gets at your question.

Thanks,
Josh

The team wrote a tutorial outlining how to rotate keys, including signing keys: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation/

Hiya.

You can see the elasticsearch query if you expand advanced in the UI.

Because of the way that we tokenize the search string, it is likely that a query like user@example.com will match more than just the user with the email address you are entering.

If you want to match only the email address in the UI, the easiest way to do it is to preface the query with email:. So email:user@example.com.

Hope that helps.

I have encountered this error and managed to work out the following steps to get things working

FWIW I think this issue is the same as https://fusionauth.io/community/forum/topic/1098/registration-question-sendsetpassword-flow/7

I get the above error using the default Setup Password template which contains link with template http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}

If I add redirect_uri=http://localhost:3000 then I end up being redirected to http://localhost:3000?error=invalid_request&error_reason=missing_response_type&error_description=The+request+is+missing+a+required+parameter:+response_type without ever setting a password.

Once I add response_type=code I now get to be able to set the password.

It looks like the /password/change endpoint actually jumps into the OIDC/OAuth flow after the password is set and my redirect URL gets a code (which I assume can be exchanged for a token), however as I am using ASP.NET 5 & the OpenIdConnect extensions the state parameter contains encrypted data that must be supplied so I have found it best to ignore the code and simply trigger the OIDC challenge which causes a redirect back to FusionAuth (with required state) which immediately redirects back to my API (as there is an open SSO session) and my login is complete.

It would be good if there was some documentation about the /password/change endpoint.

(I would also be open to suggestions about how I can cleanup the redirect magic I need to do to get this all working with ASP.NET but I realise that is probably out of scope of this question!)

And we've added this info to the Events/Webhooks documentation as well: https://fusionauth.io/docs/v1/tech/events-webhooks/events/

@michael-schramm can I reach you somewhere for a short discussion? Am also thinking about going for CockroachDB and have a couple questions. 😅

Hmmm.

The FusionAuth basic tier is not intended for any type of load testing. So that probably explains poor results.

The reason for this is that the service (with this tier) is running on a single AWS EC2 instance that is running FusionAuth, Elasticsearch and a PostgreSQL database. This means the node is very resource constrained, and attempting to run load tests on this type of system is not recommended. The numbers you get from this type of test will not be valuable to you in context of planning your production deployment.

If you do want to perform load testing, I would recommend you run FusionAuth on-premise using a more realistic production configuration, or upgrade to the High Availability hosting tier. You can spin up an HA instance, perform your load testing, and then tear it down. You'll only be charged for the time the HA instance is up and running.

If you cannot achieve your target request per second with a standard HA setup, you can upgrade from Medium, to Large, or even to X-Large if you need to obtain additional requests per second.

You also may be interested in this load testing guidance: https://fusionauth.io/docs/v1/tech/installation-guide/monitor/#load-testing

And this (dated) forum post: https://fusionauth.io/community/forum/topic/8/what-level-of-performance-can-we-expect-with-using-fusionauth-as-an-idp

@pleymor

Were you able to get this addressed or do you still need assistance?

Thanks
Josh

@alex

I was out of the office last week, but am looking at this now.

I would say that you would be best served by checking the event logs. The logs that you have displayed here are from the main application and may not show as much debug information as the events logs do (when the debug toggle is enabled in the specific IdP and/or lambda).

Regarding your other questions, I was able to make an advanced registration form with both an email and username input. Since Google does not return a username, FusionAuth will send you to a complete registration page and ask for a username. The unique username policy set on the tenant will ensure no username collisions.

Then my_user_name becomes appended by the unique user name constraint set on the tenant
b8d46e80-596d-4e32-8252-65a7a75c2ab3-image.png

re:

The user can merge accounts (including all application-specific data) by requesting a merge. The requested-of account would receive an e-mail notification asking permission to merge, which would be valid for a short/customizable period of time.

We don't have this functionality exactly but have an approximation. On this user, notice the linked accounts tab. You can remove externally linked accounts here as an admin. Additionally, if you set create a pending link, as your linking strategy (instead of link on email), you can have your user login with google and associate that google UUID to an existing FusionAuth user (or create a new user).

I am not sure if this fully addresses what you are asking. My encouragement would be to review the documentation that we just released around linking IdP accounts, linking strategies, etc.
https://fusionauth.io/docs/v1/tech/identity-providers/

Here for any further clarification needed 🙂

Thanks,
Josh

dac8d112-09f0-41b0-9fa5-9d47bbf40c0a-image.png

Thanks,
Josh
FusionAuth

Thanks for reporting this. The workaround is to remove the configuration from the SAML provider. I also tested it out and when SAML is enabled and you try to duplicate the app, you are presented with an error message.

I filed an issue about this: https://github.com/FusionAuth/fusionauth-issues/issues/1366

fusionauth.timezone is used to guess the user’s current timezone so we can adjust dates and times in the UI (admin).

fusionauth.remember-device records your answer to ’remember this computer` checkbox on the login page (so you won't be prompted for MFA on this device again).

@joshua That actually helps very much, thanks!

If you are running Advanced Threat Detection, you need at least 2GB of memory for each FusionAuth node.

Here's the system requirements: https://fusionauth.io/docs/v1/tech/installation-guide/system-requirements/ which document the 2GB requirement when using this feature.