@fred-fred said in Is there an example of how to authorize a user to an app and allow them to access after using the login API?:

May I ask, why do you have /API/Login if all it really does is authenticate but not authenticate and authorize like the Login pages?

I'm not sure I totally understand the premise of the question. I hear your frustration, however.

The Login API provides a JWT, which can be used for authorization. It seems like you are looking for configurable SSO which is, as I understand it, a different thing.

Our SSO implementation (like almost every other SSO implementation for web browsers) depends on cookies, which are not really something you can set with a backend API in a effective way (because the cookies have to be set by the component responding the browser, which the Login API will not be.) If there's an SSO implementation that is available via an API, please share that as we're always looking to improve.

When you use the Login API, you have complete custom control over every aspect of the UX. But with great power comes great responsibility 🙂 , and part of that responsibility is re-implementing SSO.

@utahtwo I tried that and was unable to make it work a few months back. @joshua filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1532

The simplest solution if you are self hosting is to run a different instance of FusionAuth on a different port against a different database. I've done that successfully.

@bergraan,

One more note:

You will want to ensure you are using the client_id on the URL.

To that end, after discussing with the team, I think your URL's may be broken:

Example good URL --> http://localhost:9011/password/change/<code>?<tenan_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&<tenan_id>

should be
⬇ ⬇ ⬇

Example good URL --> http://localhost:9011/password/change/<code>?tenantId=<tenant_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&tenantId=<tenan_id>

I hope this helps!

Thanks,
Josh

@reece-temple!

Sorry to hear that you are still having trouble!

When you say that you have tried locally, does that mean that you having installed FusionAuth via FastPath install files?

Thanks,
Josh

I recently embarked on the journey of integrating FusionAuth into my website, inspired by a discussion in the FusionAuth community forum

Hey folks, I think I spoke too soon with my response 14 days ago. I misunderstood and assumed the id_token was available. There is a token on the reconcile lambda, but it is the access_token, not the id_token. My apologies.

That said, there is some work happening on issue 323 that you probably want to track: https://github.com/FusionAuth/fusionauth-issues/issues/323 (a comment or two way at the bottom). It's not finished yet, but we're looking at ways to make the id_token available to the open id connect reconcile lambda.

@jared GitHub issues are the right place for feature requests, thanks!

There's an 'additional context' section for feature requests, and you can feel free to link back to these forum posts. That can help enrich the discussion when the eng team reviews requests to prioritize them.

Cheers!

@muravyov-alexey Thank you!

@joshua

FA version 1.31.0
typescript-client-1.32.1

BTW I have successfully implemented Facebook social login using Complete Facebook Login api which is actually the same endpoint/api as of Complete google login but with a different identity provider value. It's quite a weird behavior that that api is working with facebook but not with google. 😞

Could you guys please take a look over it? Or I am missing something in case of google login if it needs some configuration.

@matt-1 said in Hakari CP DB Settings?:

That said, it seems they are because we haven't seen the DB timeouts in 6 FusionAuth environments in over 2 weeks now.

Hi @matt-1 Yes, I believe that I misunderstood your question. I believe that you are correct.

Josh

@dan said in Wrong logout URL being returned ?:

@francis-ducharme What is your setting for logoutBehavior for each application config? All applications or redirect only?

By default it is 'all applications' which means that FusionAuth, on logout, will call each application's logout url (to ensure that the user is logged out of all applications). It does this via an iframe, so I'd expect both to be requested. https://fusionauth.io/docs/v1/tech/guides/single-sign-on#configure-the-applications-in-fusionauth has a bit more.

I'm not sure why you are ending up at localhost for the dev app, though.

That was it. All my application's logout behavior were set to "All Applications". "Redirect" only made it so the browser doesn't get redirected to "localhost".

Thanks!

@matt-1

I would assume that is the issue - but let us know if otherwise

Josh

@utahtwo Currently this requires two different configurations. We initially tried to do it all within one IdP, but each mode requires different configuration and has unique security constraints. It seemed simpler for all involved to make them separate IdP configurations.

If there is a use case that breaks due to this design decision, please open a GitHub issue and outline the use case so we can better understand your needs. Thanks!

@joshua

I have inserted the code and id_token in the API call as you mentioned and
My logs had been cut off, The following are the complete logs,

Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775] 7/7/2022 12:18:37 PM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTcyODI1NzcsImlhdCI6MTY1NzE5NjE3Nywic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiWTRsTVlESkRITHdteldpc3FzbTY2ZyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjU3MTk2MTU5LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.aK7dDZdZSue6gCpmba0YL8PVX2qkbru-4DE0NNNBKBKnqN2uFmwgbcjYRqb-jj4UIKCibDcUSsd4mbD9wRHK4o8rH8M_ZCBdgJ8cIr1sx8JTQ7M1BOSyap7GsxWzPdR_stCJn7xWBeUulRtpWdemj-H3_6DwMQak0E4IG2ZxAdTwmTz464FGynmbmXQaKBqqLJP5WXFagLHZNFZeCd9Tr458B3__KGcPni912IwHLl1Yhhn-oqLm7RU5Ck5iTPZfvW2oZwljtdilCONVzXHsyHnL0hPZcvzrlxWXxXhljpg_VeuS-M53amL2JgAQRjloFARBqfRWW3zt5qdRYVYl1w] 7/7/2022 12:18:37 PM GMT Decode the [id_token]. 7/7/2022 12:18:37 PM GMT Assert the [iss] claim is equal to [https://appleid.apple.com]. 7/7/2022 12:18:37 PM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo]. 7/7/2022 12:18:37 PM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value []. 7/7/2022 12:18:37 PM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [47DEQpj8HBSa-_TImW-5JA].

@dan I did not have FUSIONAUTH_APP_MEMORY set so it was just at the default value.
I upped the value to 1gb when the container had 1gb and it no longer crashed with out of memory errors however the container would still die then restart. Not seeing any logs for it.
I tried making the value smaller than 1gb but it behaved the same. I then upped the container to 2 gb of memory and set FUSIONAUTH_APP_MEMORY to 1gb. Now it seems to be working ok and not crashing. Is there some further performance tuning that I can do on it?

While I understand this topic has been previously discussed, I believe it's still relevant due to the similarity in my use case.

I'm currently integrating Discord login into my application using the OpenID Connect identity provider. My goal is to implement a custom user experience that doesn't rely on FusionAuth's hosted login pages.

As mentioned in previous discussions, the current documentation doesn't provide a way to pass the PKCE code_verifier when requesting the "Complete an OpenID Connect Login" endpoint.

I'd like to propose two improvements:

Allow passing code, code_verifier (optional), and redirect_uri in the request payload. This would provide a more flexible and allow the usage of PKCE;

Allow passing an access token directly. This would eliminate the need for FusionAuth process the exchange step, similar to how Facebook's identity provider works (for example). This would probably also require the configuration of an endpoint to fetch the user email or username.

As a side note, since discord access_token is not a JWT I believe this cannot be done using the "External JWT" identity provider.

Hope you can help me with this.
Thanks!

@vvicazz That's great news!

@nick-1 Thanks for sharing your step by step process. I know that AWS throttles port 25 on all EC2 instances, but am not sure about Fargate/ECS: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/

Perhaps that was the issue?

Created the github issue - https://github.com/FusionAuth/fusionauth-issues/issues/1795