As of 1.51.1, we now have a dedicated health check API endpoint:

https://fusionauth.io/docs/apis/system#retrieve-system-health has more details

@ashok you got it!

I can see we can create applications and add tenants to them, which can't be edited/changed later. Is it possible to Add multiple tenants to one application? And maybe change the tenant later.

Nope, applications are contained within tenants. Here's a blog post talking about multi tenant in FusionAuth.

Also, on the documentation, it can be seen that in order to support multi-tenant or offer services to more than one client.
In this scenario, it is suggested to maintain separate Users, Applications, and Groups for each of your clients.

Yes, you can think of a tenant as an entirely separate installation of FusionAuth. So you'd have to create users, applications and groups for each tenant. Another way of structuring this would be to have an application for each client. Which you choose depends on how much separation you need.

what is the purpose of multiple application and multiple tenants?

The main purpose of using tenants in the higher level of separation. If you want each client to have their own FusionAuth theme, API keys, and a separate user space, then you want multi tenant. If you don't care about the themes, tenant scoped API keys, or that someone with the same email address wil have the same password for the application of client A and client B (because both use the same FusionAuth and live in the same tenant, the user will have the same password for each application), then separate FusionAuth applications in the same tenant will work.

Hmmm. That seems to be a bug, because the aud claim should be absent from the authorization code grant, since the user isn't registered for that application.

I filed an issue: https://github.com/FusionAuth/fusionauth-issues/issues/713

ah, thanks for explaining.

I can't see any way to do this. The behavior of these grants are outlined in the RFC, so are pretty limited in flexibility. It looks like auth0 allows something similar to this, so I'm guessing it's not against the spec.

I looked through some code and didn't find support for that. Can you please file an feature request outlining your use case? https://github.com/fusionauth/fusionauth-issues

@dan said in logout questions:

've got a question about logout.
When logging in using the /oauth2/token route with the auth wordle code grant, it seems the /api/logout route does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.

Regarding user identification during logout, the OAuth 2.0 specification doesn't define a standard logout endpoint. Logout processes are often application-specific, and the mechanism to identify the user being logged out might depend on the authentication framework or technology being used.

Ah, yes, thanks for explaining.

Yes

You have two options

use the API to integrate with the current login/reg flow with FusionAuth. This lets you keep your existing html pretty much untouched, you're just calling out to FusionAuth instead of the database. remove them and use the FusionAuth provided pages with OIDC. This lets you use the theming and localization capabilities of FusionAuth, including super simple social signon.

It's your choice based on what your needs are, either way will work.

I'd only recommend using SAML if you have an application which only supports SAML, not OIDC.

You'll also want to make sure that when someone registers with one of your applications in FusionAuth, they register with all three. I'd probably use a webhook to ensure that.

Thanks Dan,

I've created a github issue here:

https://github.com/FusionAuth/fusionauth-issues/issues/845

I am confused by this response. I found the register() function in the php client documentation. It should be register($userid,$request);. For the $userid I am planning on using the email_address. For the $request I plan on using this:
$applicationId = "32688330-1630-4e0d-a4de-8ae45c3ca527";
$request = array();
$request["applicationId"] = $applicationId;
$request["loginId"] = $post_array[employee_email];
$request["password"] = "";

So it would be register($post_array[employee_email],$request);

Is this the proper API call to register a user? This is returning a $result->errorResponse of null.
status=0
successResponse=null

What does this mean? Was the install bad?
This line seems to have executed correctly (I think)
$_SESSION['client'] = new FusionAuth\FusionAuthClient($apiKey, "http://localhost:9011");

@robotdan Also, it was actually me who opened the mentioned issue. 😅

Awesome, glad to hear it! Thanks for letting me know.

'Tis I indeed! Continuing my signature moves of knowing juuuuuust enough to be dangerous to myself and others LOL. I'm checking the settings now, thanks to you and Dan for the support!

Ah, I see how that could be confusing. Sorry about that. Glad you got it sorted out and it works!

@mgetka thanks so much for the explanation.

"to redirect iOS users directly to pseudo protocol. And redirect all the android user to a custom interstitial site. "
I believe this would be the only option for the time being.

Deep Linking doesn't work at least for my application:
Flutter -> flutter_appauth(4.0.1) -> fusionauth

While the same scenario could work with Auth0, following this blog.

Comparing with the solution with FusionAuth.
FusionAuth open a new tab for Facebook and Google login.

While Auth0 continues on the same page with a page redirection.

@dtokarz1

Great! There is also some of this functionality built into FusionAuth that you could explore as well under Tenants > Registration > Email verification settings

Screen Shot 2021-08-03 at 1.42.38 PM.png

Thanks,
Josh

@titogarrido said in I want my webhooks firing only when I use the web interface, how can I do that?:

Is there a way to fire webhooks only when the admin application executes an action

I'm not aware of any way to do this. The webhook actions for API calls are indistinguishable from the webhook actions caused by the admin UI because the admin UI uses the API.

I am trying to use the webhook to keep a local database synchronized, is it a correct usage? If not, how can I keep a local database sync?

I think you are on the right path. I'm not sure why it is timing out, but as @mgetka says, that's what I'd investigate.

Added this as a feature request: https://github.com/FusionAuth/fusionauth-issues/issues/1041

For anyone interested I got this running by one installing docker-compose from the actual docker tutorial on how to do it, and then giving docker permission to run commands as root. There is a tutorial on how to do it on. On top of those I moved it to a server with 2gb of ram, as I noticed a few out of memory errors when it was trying to start up.
https://docs.docker.com/engine/install/linux-postinstall/

@tony

Glad you were able to figure it out. I'm not aware of any other way to access the identity provider id from the response, but that does seem to solve your problem, correct?

Please feel free to file a feature request more clearly outlining your use case and proposed ideal solution.

It looks like the type of audiences is a set of strings, so I wouldn't expect any complex elements.

The docs say that this field is:

[a] list of the audiences for this SAML response. By default, the issuer or audience from the form are used.

This is not super clear to me, so I filed a PR against the docs to make it clearer: https://github.com/FusionAuth/fusionauth-site/pull/376