@stefan-0 Are you getting the user-id from the Retrieve a Link api call? That can me if you are making the API call successfully. I may be missing something, but I think the Retrieve a Link returns information about the Identity Provider. I don't think that will get you the token. Am I missing something? You may want to take a look at Complete an OpenID Connect Login.
administrators
-
RE: Azure AD token absent in link API response
-
RE: Is it possible to add a custom identity provider or modify OpenID Connect?
@adam-rahman I heard back from TikTok. Not a very detailed response, but pretty clear they are not going to change anything.
"
Thank you for reaching out to TikTok for Developers Support.I'm sorry that this can't be changed at present.
"For now, I will continue to push the issue internally. If there is progress, we will update the Github issue.
-
RE: Client secret hashed in source identity provider
No perfect options, but a few workarounds possible
- a connector-like proxy which would intercept Client Credentials requests from their customers and use business logic to validate the client secret against the stored Duende hash.
- stand up a simple proxy in front of the Duende that logs the plaintext client secrets for a period of time before migration (protect these logs of course)
- go to each client and ask them to use a new FusionAuth specific client secret (analogous to resetting user passwords)
More details on the first option. It requires these steps/prereqs:
FusionAuth Entities Setup
- The customer should create new FusionAuth Entities that correlate to the Client ID of all APIs and services currently associated with Duende. For now, let FusionAuth generate a random Client Secret.
- Custom Attribute for Migration: Store a custom attribute such as
migration: false
onentity.data
for all newly created Entities.
Migration Steps
- API/Service Requests Token: The API or service calls Duende's token endpoint.
- Proxy Interception: The customer's proxy intercepts the client credentials request and searches FusionAuth Entities to find the matching Entity by Client ID.
- Migration Check: Use an if/else logic to check if
migration: false
exists for this client ID. If so, the proxy service proceeds with the client credentials request to Duende using the Client ID and Secret (in plain text). - JWT Validation: If Duende responds with a JWT, this confirms the Client Secret is correct. The proxy service discards Duende's JWT and then calls the Entity API to update the correct Client Secret and set
migration: true
on theentity.data
object. - Complete Migration: The proxy service calls FusionAuth's token endpoint to complete the Client Credentials grant. The proxy service then returns a JWT to the end customer’s API/service, migration is complete.
Which of these make sense depend on how many clients you have, your dev teams bandwidth, and your security posture.
-
Client secret hashed in source identity provider
We're migrating from an identity provider (Duende) that hashes the client secret when the client credentials grant is used.
How can we migrate these secrets to FusionAuth entities?
-
RE: Is it possible to add a custom identity provider or modify OpenID Connect?
@adam-rahman Thanks. I'll keep an eye on this as well and reach out if I see any movement or hear anything.
-
RE: Is it possible to add a custom identity provider or modify OpenID Connect?
@adam-rahman It looks like TikTok is not adhering to the OAuth2 standards. I'm not sure why. I have put an email into them to see if there is any reason and I will let you know if I hear anything back. I have looked around a bit, and cannot seem to find a why to change the parameter in the querystring through FusionAuth. There is currently an open Github issue for this. I added a comment but I suggest you go and upvote it too. You may also want to reach out to TikTok and ask them to get compliant.
-
RE: Does FusionAuth work with resend, the email provider?
While I have not tested it, this documentation shows how to use an SMTP integration to send an email with resend.
This should work fine with FusionAuth's email settings.
-
Does FusionAuth work with resend, the email provider?
Does FusionAuth work with resend, the email provider?
-
RE: Visual Studio Templates Broken?
@teyog10322 Visual Studio 2022, how about you?