Back to my issue with the page a user who presses the button after the session has expired (see above). Is there any way to tell FA where to redirect to when the link has expired.

From reading the passwordless guide, it looks like an Invalid login credentials message will be displayed in this case. That may be themeable, but I'd have to play around to know for sure. But that's where I'd start.

@richb201 said in Invalid redirect uri:

If not is there a suggestion box?

This is the suggestion box :). We also accept PRs against our documentation site: https://github.com/fusionauth/fusionauth-site/

However, it's best to open a new topic when there's a new question or issue. Otherwise things can sometimes get lost.

I'm glad you are making progress!

I think this is a bug. For some reason the tenant settings are controlling on the refresh token exchange when the application config should take precedence.

Can you please file an issue here: https://github.com/fusionauth/fusionauth-issues/issues and reference this forum post?

@mweiss 1.26 was released today. You can read the release notes here: https://fusionauth.io/docs/v1/tech/release-notes/#version-1-26-0

It is available on dockerhub and the download page.

@dtokarz1

Interesting fix. I will have to consider why your solution worked. In the end, glad that you were able to get it working!

Thanks,
Josh

My first question is a) when I setup the dashboard on server A. Can I assume that all the servers (behind a load balancer) will get the same configuration?

You need to distribute the configuration file or the environment variables yourself. You could scp the configuration file to each server, for example.

b) I want to make sure that FA is using the RDS database and not a local one in each docker container. How can I prove to myself that FA is using the RDS?

I'm not sure how you installed this, but you could remove postgresql from the docker-compose file. You can also shut down the RDS instance and see if FusionAuth fails.

You can also look for a line in the startup log file that looks like this:

fusionauth_1 | 2021-02-02 9:23:53.070 PM INFO com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://db:5432/fusionauth]

This line is connecting to a local postgresql database, but you should see the configuration value pointing to the RDS hostname in yours.

This might be useful for visitors in the future: https://fusionauth.io/docs/extend/examples/device-limiting

I have added a further suggestion to the issue on the app repo.

https://github.com/FusionAuth/fusionauth-issues/issues/1250#issuecomment-859634082

@marcasellkhelaifi,

Glad that you got this figured out! Thanks for sharing!

Thanks,
Josh

@justinfox,

Awesome, glad that you got it working!

Thanks,
Josh

Thanks for the additional information @david-billings. We will have to see if we can do some additional testing to recreate.

Josh

Thank you for share this information............

@alex

I was out of the office last week, but am looking at this now.

I would say that you would be best served by checking the event logs. The logs that you have displayed here are from the main application and may not show as much debug information as the events logs do (when the debug toggle is enabled in the specific IdP and/or lambda).

Regarding your other questions, I was able to make an advanced registration form with both an email and username input. Since Google does not return a username, FusionAuth will send you to a complete registration page and ask for a username. The unique username policy set on the tenant will ensure no username collisions.

Then my_user_name becomes appended by the unique user name constraint set on the tenant
b8d46e80-596d-4e32-8252-65a7a75c2ab3-image.png

re:

The user can merge accounts (including all application-specific data) by requesting a merge. The requested-of account would receive an e-mail notification asking permission to merge, which would be valid for a short/customizable period of time.

We don't have this functionality exactly but have an approximation. On this user, notice the linked accounts tab. You can remove externally linked accounts here as an admin. Additionally, if you set create a pending link, as your linking strategy (instead of link on email), you can have your user login with google and associate that google UUID to an existing FusionAuth user (or create a new user).

I am not sure if this fully addresses what you are asking. My encouragement would be to review the documentation that we just released around linking IdP accounts, linking strategies, etc.
https://fusionauth.io/docs/v1/tech/identity-providers/

Here for any further clarification needed 🙂

Thanks,
Josh

dac8d112-09f0-41b0-9fa5-9d47bbf40c0a-image.png

Thanks,
Josh
FusionAuth

@chrissmueller328

There is some discussion of this (mostly focused on SAML, but OIDC is referenced and considered as well)

https://github.com/FusionAuth/fusionauth-issues/issues/566

I will review further and see if the team has any other thoughts.

Thanks,
Josh

@dan Thanks for the reply Dan, I'll go ahead and discuss this with my team before we go any further.

Just to double check, could the FusionAuth team revise this document's flow chart of the logout request if it's no longer correct? https://fusionauth.io/docs/v1/tech/guides/single-sign-on, or perhaps specify that the Logout request is specific to the FusionAuth app, not Pied Piper? Thanks.

e27f08e0-7665-46f9-a89f-f26637003a18-image.png

Bug filed here: https://github.com/FusionAuth/fusionauth-issues/issues/1740

A CLI tool for managing configuration can be super handy for those who love working from the terminal. There are definitely some robust APIs and terraform providers you've pointed out.

@epnyc Are you sure the "Client credentials JWT populate" is the type of lambda you want to create and not a "JWT populate" lambda?

If you are looking to assign a "JWT Populate" lambda, you need to go to Applications -> Your Application and select to the JWT tab and then select the lambda under the Lambda settings. (You will need to create a lambda of this type in Customizations -> Lambdas)

If you are looking to assign a "Client credentials JWT populate" lambda (sounds like this is what you created), you need to **Tenants -> Your Tenant ** and then select the OAuth tab and choose the Client Credentials populate lambda.

Client Credentials JWT Populate lambda documentation

JWT Populate lambda documentation

@sandesh Great, glad you figured it out!

@mark-robustelli we are on the old 1.6. I cannot add the tenant back since this is a production server and a second tenant breaks our application authentication service. Upgrading right now is not an option and we are working on trying to migrate to hosted cloud services as our upgrade path.

@ronn316 Awesome glad to see you got it working. I'm sure there is a way to use a dns name, but like I mentioned before, someone with a little more docker experience would have to help us out here. Thanks for working this through and sharing with the community.