@samet @kbi @shaunladd

After talking some more with colleagues, this error behavior related to your Nginx configuration and not related to FusionAuth directly.

You can check out two reverse proxy repos that are community maintained below for further guidance:

https://github.com/FusionAuth/fusionauth-contrib/tree/master/Reverse Proxy Configurations https://github.com/FusionAuth/fusionauth-containers/pull/61

As I often have to remind myself, when deals with layers of abstraction, it is always best to start with the simplest base layer and build from there. So in this case, a good approach may be to expose the FusionAuth node directly and try to get it working without a proxy. Or try getting a proxy working with FusionAuth on a VM/docker locally (as opposed to the cloud/remote), just to remove variables.

I hope this helps!

Thanks,
Josh

Ok this is how I fixed the post_logout_redirect_uri issue.

In my logoff method, I did this to remove the local cookies

c99db979-5e36-4e07-8cbd-8ce25bd73775-image.png

Then because I could not use the Owin..OIDC..PostLogoutRedirectUri in the OpenIdConnectAuthenticationOptions to pass the client_id

At the end of the logoff method, I just did this:

39f0427a-f30a-4e54-b719-1c6689476674-image.png

This removed the FusionAuth session, does the log out, and redirects to my home page

Thanks to all who tried to help out

@laurent-michel Great to hear!

Hi Dan,

We already have an issue: https://github.com/FusionAuth/fusionauth-issues/issues/1955

But please allow me to reiterate once more, as I get the feeling the issue is now downplayed a bit to being a developer experience-issue.

We want a centralized / hosted authentication-solution, that we don't have to maintain ourselves. So… We have a hosted FA-instance and try to use the hosted login and registration views. There is an external API, though, that we Ping using a webhook for authorization purposes. This checks if application-access for a given user is still up to date with our own administration. If not the webhook returns a non-200 response and we update FA using an API-call accordingly. The webhook works very nice, and will be even better as soon as we get to customize its error message, which, I believe is already on your development-calendar (https://github.com/FusionAuth/fusionauth-issues/issues/1725) When the webhook fails we get a nice error message in the hosted interface that we can customize even. All is well. There's one exception to this, that is when the webhook fails after entering the MFA-challenge. Then we, all of a sudden don't get the webhook-error message, that we have customized, but an error message the MFA-challenge is incorrect. Which it is not. And which confuses our users, as they try another OTP-token, or even worse: another SMS, but it keeps failing. The token is not wrong. The webhook is failing. Everywhere the interface reports this correctly, except for this one, crucial, place: the entering of the MFA-challenge.

I see no way to customize this behavior, as a developer. This is not a developer experience issue, I feel, this is a bug.

@jw-0 said in React SDK example - nothing in the userInfo but tid and sub:

I'm sure I'm doing something stupid here but I can't work out what I haven't done.

I am using the changebank React SDK example as my test harness, using the community version of FusionAuth for now, hosted under docker
I've created a new tenant, a new app and then a new user.
I can login using this new user into the app but the userInfo structure has nothing in it other the the use sub and the tid.

Config is below

const config: FusionAuthProviderConfig = {
clientId: "31067471-23fc-4634-afa9-c049ff4f0a86",
redirectUri: "http://localhost:5173", slope run

serverUrl: "http://localhost:9011/",
shouldAutoFetchUserInfo: true,
shouldAutoRefresh: true,
onRedirect: (state?: string) => {
console.log(Redirect happened with state value: ${state}"});
}
};

Example code is:
In main.tsx
const { isLoggedIn, isFetchingUserInfo, userInfo } = useFusionAuth();

In the AccountPage.tsx I have:

<p>tid {userInfo?.tid}</p> <p>sub {userInfo?.sub}</p> <p>roles {userInfo?.roles}</p> <p>email {userInfo?.email}</p>

The roles and email fields are always null

Any ideas?

In FusionAuth, ensure that the user claims are set up correctly. Go to the tenant settings and check the "User Claims" section to confirm that the necessary claims (like email, name, etc.) are included. Make sure that your application is requesting the correct scopes during the authentication process. Common scopes include openid, profile, and email. Verify that these scopes are included in your authentication request. Review the ChangeBank React SDK example to ensure it correctly handles the userInfo endpoint. There may be specific configurations or API calls that need to be made to retrieve additional user data.

@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?

i like it

@robotdan Thanks Dan!

@jmarin Interesting. What instructions are you working off of from Rosetta Stone?

Great. It's typically used for CSRF protection, but can be used for other purposes. Here's a pretty good article covering this.

@pradhanv88 it is documented here: https://fusionauth.io/docs/reference/configuration

But there is a bug with TLS in recent versions of FusionAuth: https://github.com/FusionAuth/fusionauth-issues/issues/2498

This is scheduled not for this release, but for the next one.

@dan Hi Dan - I've added https://github.com/FusionAuth/fusionauth-issues/issues/758 as this looks seperate to me

That's great!

Great. Marking this solved. Let me know if that's not ok 🙂 .

Hi James,

Glad to help! Let us know if you have any more questions.

@dan said in JWT token with roles:

"applicationId": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
"roles": [
"USER"
]

Hey Dan!

Now we got it working.

For reference, we were not passing applicationId inside the request body, that's why the roles were not included in the token.

Thanks again for the time Dan!

Hi!

I've made an additional investigation and found out that for some reason Fusionauth instances deployed in my k8s cluster don't utilize all CPUs available on the nodes. There are 6 nodes with 12 CPUs each, but a single Fusionauth instance hardly ever utilized even 1 CPU.

I've tried to scale horizontally, deploying 50, 60, 75 and more Fusionauth's instances and got much better result during my load testing, up to 250 logins per second (each login - two requests - /oauth2/authorize and /oauth2/token).

I wonder why this could happen and and if there are there any settings for Fusionath or Java or k8s that could help to solve the issue?

Thanks!

Moving to the q&a section.

Hey Dan. My plan is to try to log a user on with their email as the key. If that fails (like it will if they have not registered).

$request = array(); $request["applicationId"] = $_SESSION['applicationID_admin_register_login']; $request["user"]["data"]["admin_email"] = $email; $request["user"]["data"]["email"] = $request["user"]["email"] = $email; $requestJ = json_encode($request); //convert the array into json $result = $_SESSION['client']->updateUser($id, $requestJ); //if $result is that user was not found then ask if they want to register? if (!$result->wasSuccessful()) { log_message('error', $result); }

Now, I don't want to updateUser() since I am not even sure if the user exists. What function should I use to easily see if they are already registered?

This issue, in my opinion, has been resolved in this thread : https://fusionauth.io/community/forum/topic/1086/how-may-i-see-the-name-of-database-created-used-by-fusionauth-in-local-mysql?_=1623774571813.

If anyone has the same issue, I hope it will be helpful. Thank you.