Default application
-
I would like to implement a login workflow similar to google. For example: when I log in to google through accounts.google.com, after login, I am redirected to myaccount.google.com, an application where I can manage my account data.
When I login via the main domain where fusionauth is installed, I get the message:
"Your account does not have permissions to access the FusionAuth Admin Interface. Please contact your system administrator."Probably because the default application is the FusionAuth Admin Interface, is there any possibility to change the default application? I would like to create an application where my user could manage his profile at myaccount.mydomain.com ... But if my user decides to directly access the domain where FusionAuth is located (accounts.mydomain.com), he will be redirected to the myaccont application .
-
There is no way to change the default application in FusionAuth. But you could pass a client id using a proxy.
You could create two DNS records: accounts.mydomain.com and fusionauth.mydomain.com. When a user comes in to accounts.mydomain.com, append
client_id=<accounts client id>to the URL via whatever proxy you are using.Here's an example using path params and nginx: https://stackoverflow.com/questions/16532293/nginx-proxy-pass-is-it-possible-to-add-a-static-parameter-to-the-url
-
I'm looking for a solution to the same problem. It's a pity there is no way to change the default application or (at least) to modify the error page template so that it shows some nicer layout and information.
I don't think that Dan's proposal is a good solution for this issue as the user is still able to directly visit fusionauth.mydomain.com.
My workaround for this (not fully tested yet!) is to use Nginx's sub_filter module to inject some external JavaScript code.
The injected JavaScript code should be able to redirect to the default application if some conditions (indicating the user has no access to the FusionAuth's application) are met, eg. document.location.href contains 'userState=AuthenticatedNotRegistered'
See:
location / { location /login { sub_filter '<head>' '<head><script type="text/javascript">console.log("hello from nginx")</script>'; sub_filter_once on; ... } ... } -
Please let us know how the
sub_filterexperiment goes. Another idea is locking down fusionauth.mydomain.com to only be accessible via certain IP addresses. Here's a page listing ways to limit access to proxied resources.Also, please feel free to file an issue in the issues GitHub repository about setting the default application as we take such issues into consideration when planning future development.
-
The solution with sub_filter works, but it still makes the "strange-looking" page to appear for a while until the redirect is done. I'll create an issue on Github for this.
The code I've used is injected before the closing body tag and looks for the text "Your account does not have permissions to access the FusionAuth Admin Interface" using XPath expression (this condition can be adjusted to be more reliable if needed). Then it redirects to some other page.
sub_filter '</body>' '<script type="text/javascript">if (document.evaluate("count(//p[contains(., \\\"Your account does not have permissions to access the FusionAuth Admin Interface\\\")])", document, null, XPathResult.ANY_TYPE, null).numberValue === 1){document.location.href="https://some.default.domain"}</script></body>'; sub_filter_once on; -
