missing redirect_uri

richb201

This post is deleted!

richb201

This post is deleted!

richb201

This post is deleted!

dan

@richb201 did you get your questions answered?

richb201

@dan Yes! I got that survey "thing" working. Thx! I have one more part to fix. I have a login popup on my wordpress landing page.

On the bottom. I'd like to trigger a passwordless login email directly from that LOGIN button (but only if they already have a fa account). So what I did was add the OAuth IdP login URL:

as the "redirect to" address in wordpress.

But when I test it I end up at this screen.

But that is not really where i want the user to end up. I'd like to determine if the user has an account already on fa. If they do then i want to startPasswordless login. If they don't i want to send them to mailchimp to get their information and then send them to fa to register. I realize that there a few "steps" I need to get working. For right now I'd settle on getting my passwordless Login email to be sent to their email address.

I suspect that I will need to write the code to do as "conditional redirect", eventually. Question? Is there a way that I can quickly tell if a user has already set up a fa account without logging them in? That will be the basis of the "condition".

dan

Question? Is there a way that I can quickly tell if a user has already set up a fa account without logging them in? That will be the basis of the "condition".

@richb201 you could always run a search for their email address and see if any results come back. That couldn't be done in the browser, but could definitely be done server side. https://fusionauth.io/docs/v1/tech/apis/users/#search-for-users has more.

richb201

Thanks Dan. When you say "run a search" on the server, do you mean "try to start passwordless log in and review the error message", if it fails?

Another question for you.

I am not sure how to set up the security with FA with passwordless. How will I keep a user from just going directly to one of my pages anywhere on my site?

With passwordless I send them back an email login link. When the click the link, they are sent to a link from FA with a code appended which allows them to log in. How do i enforce that only users authenticated by FA are allowed to view all of my pages? Of course without a userid they won't get very far in my app.

On a slightly different beginner question. I am using PHP. Normally I will allow a user access to one of my methods which creates a form where they enter their email address. From this I will start the passwordless or will send them to my registration page.

Is it a a security mistake to allow them to access one of my methods IN MY APP to start passwordless? Should I be handling the passwordless/registration/authentication from a totally different process for security?

dan

@richb201 said in missing redirect_uri:

Thanks Dan. When you say "run a search" on the server, do you mean "try to start passwordless log in and review the error message", if it fails?

I mean use the user search API in your server side code. Sorry if I was unclear. You could do that on a page on your site.

I am not sure how to set up the security with FA with passwordless. How will I keep a user from just going directly to one of my pages anywhere on my site?

Typically you want to have your server side code save off in a session whether the user is logged in or not. Then you can have any of your web application show different messages or protect pages based on that.

Is it a a security mistake to allow them to access one of my methods IN MY APP to start passwordless? Should I be handling the passwordless/registration/authentication from a totally different process for security?

I'm not sure what the attack vector is here. The real danger with passwordless is:

• attacker gets access to a user's email account
• attacker intercepts email to user

I don't think what you suggest will help with either of those situations, but if I'm missing something, please let me know.

richb201

Hey Dan. My plan is to try to log a user on with their email as the key. If that fails (like it will if they have not registered).

        $request = array();
        $request["applicationId"] = $_SESSION['applicationID_admin_register_login'];
        $request["user"]["data"]["admin_email"] = $email;
        $request["user"]["data"]["email"] = $request["user"]["email"] = $email;
        $requestJ = json_encode($request);   //convert the array into json
        $result = $_SESSION['client']->updateUser($id, $requestJ);
        //if $result is that user was not found then ask if they want to register?
        if (!$result->wasSuccessful()) {
            log_message('error', $result);
        }

Now, I don't want to updateUser() since I am not even sure if the user exists. What function should I use to easily see if they are already registered?