Reconcile is a way of make sure that a user account exists and has the correct data. The remote system is treated as the system of record, but we want a record in our local system as well.

It is a two phase process:

If the user doesn’t exist in FusionAuth (i.e. the OAuth server), they are created The data from Facebook is merged with the data in FusionAuth and the user is updated

Step 1 is optional and configurable in FusionAuth. We call it Create Registration in the application configuration. If the user already exists, then step 1 is skipped.

@stuart-auld welcome to the FusionAuth community!

There is no within FusionAuth to modify a webhook body.

This may be a feature of interest to the community; I'd encourage you to file a feature request with more details, but we could possibly run a lambda run every time a webhook runs to transform the webhook output. (There's probably scope for adding lambdas in lots of places; here's another one.)

Until that happens, however, you can send the webhook to a process running on a server or using something like google cloud functions or AWS lambda to transform the webhook output.

Yes, if self service registration is enabled (which is set on an application by application basis) and a user who is already logged in to FusionAuth tries to register for such an application, FusionAuth will automatically register them for the app. It also checks that all required profile information is filled out, which is why adding the required field displays the registration form.

You have a few options to do this. Unfortunately the login page, while very customizable in terms of look and feel via themes, is less customizable in terms of functionality and adding fields. Here are some options:

don't use our hosted login pages, instead build your own login pages (and all the other stuff like reset password, etc) using the Login API. You get total control of the login experience, at the cost of more custom code. check for consent when the application is loaded, after authentication. You could store a consent variable on the user object (in the data field) or use our consent model. Basically, after the user authenticates, take them to an interstitial page unless they have given consent. Put that logic in the application page they first land on. use javascript and customize the theme. Add a consent checkbox to the login form, and set a cookie once the user consented so you don't record the consent multiple times. Make a call via javascript to an API (which you'd have to write) to record when the consent was given.

Another option would be to use advanced registration forms for self registration and create a consent that would be required at sign up. Naturally, this doesn't help if you aren't using self service registration.

Thanks awesome @richb201 !

I'm glad you were able to sort it out!

Here's an example of a rails migration which modifies application configuration:

require 'fusionauth/fusionauth_client' class ModifyApplicationToUseForm < ActiveRecord::Migration[6.1] def up client = FusionAuth::FusionAuthClient.new(ENV['FA_API_KEY'], Rails.configuration.x.oauth.idp_url) request = { "application": { "registrationConfiguration": { "enabled": true, "type": "basic" } } } res = client.patch_application(Rails.configuration.x.oauth.client_id, request) if res.status != 200 raise "did not succeed." end end def down client = FusionAuth::FusionAuthClient.new(ENV['FA_API_KEY'], Rails.configuration.x.oauth.idp_url) request = { "application": { "registrationConfiguration": { "enabled": false } } } res = client.patch_application(Rails.configuration.x.oauth.client_id, request) if res.status != 200 raise "did not succeed." end end end

Worth noting that I pull the API key from the environment and the location of the FusionAuth instance and the application id from a config file. Often you'll need to do a lookup if you are modifying other entities.

You'd run this via the normal migration process: rails db:migrate to roll forward and rails db:rollback to rollback.

You can also run more than one operation in a single migration, but there's no transaction surrounding these changes, so if you are making three changes and step number 2 fails, you'll have to back out step number manually.

@maciej-wisniowski That was done when we found that there was a bug in

#FROM fusionauth/fusionauth-app:1.19.4

and we replaced it with:

FROM fusionauth/fusionauth-app:1.19.7

@maciej-wisniowski said in Using custom parameters with login page:

[@helpers.hidden name="custom_parameter" /]

I did not know you could do that. Thanks for sharing your solution!

@dan I am using caprover as PaaS, and it has NGINX fully integrated. It's only happening on their latest version. I already raised an issue with them (https://github.com/caprover/caprover/issues/1035).

I tried to reconfigure their proxy manually but couldn't get it to work. I just rolled it back to their earlier version.

@zamman welcome to the FusionAuth community!

FusionAuth doesn't support JWEs at this time. If you wanted to encrypt some data in your JWT, you could use a JWT populate Lambda, as long as the encryption algorithm can be implemented in straight javascript embedded in the lambda (you cannot pull in third party libraries). This MIT licensed code might work; I haven't tested it though. That's not going to create a full fledged JWE, but may suit your needs.

We don't have JWE support on our near term roadmap (you can learn more about our roadmap here). If this is a feature you need to have in a set schedule and are willing to spend money to get, please feel free to contact us about our professional services.

Alternatively, please file a feature request in our github issues list with an explanation of the use case. We draw from these feature requests based on community support as indicated by upvotes.

Glad you solved it!

Thx, useful information!

Regarding the SPA and proper authentication flow, there are some more things to consider. First, if your SPA is served from the domain that is different from your backend's domain (eg. using Vercel to host SPA frontend) then you'll have issues with cookies between different domains. Another thing is security, specifically CSRF. You'll possibly have to implement some CSRF tokens to handle this. There is a lot of information regarding these topics on the Internet but still it doesn't seem to be very easy to implement. The first link I've found on the topic: https://ideneal.medium.com/securing-authentication-in-a-spa-using-jwt-token-the-coolest-way-ab883bc372b6.
Would be great if FusionAuth docs can also describe these issues (different domains, CSRF).

Because of that it is worth considering if some other flow isn't better - AuthorizationCode + PKCE that doesn't touch the backend at all (no cookies, no CSRF issues, but you have to be careful with XSS). I've implemented a proof of concept React application that uses https://github.com/IdentityModel/oidc-client-js and slightly modified react-oidc (that is a react wrapper to oidce-client-js), and it seems to work nicely with FA for me.

Fair enough.

While I'm always interested in learning more about how FusionAuth fits into system architectures, we don't document many proxy configurations, as they tend to be pretty scenario specific. There are also a lot of different proxies out there, often with good documentation!

But sure, anything you figure out we'd love to have you add to the fusionauth-contrib project as a PR to share with the community.

Thanks!

That is an encoded (signed) JWT being sent in response to the user info request that the FusionAuth OIDC identity provider is making.

This is technically allowed in the OIDC spec, but we do not currently support this response type.

Per spec, the endpoint should support a JSON response which is the default unless the client requests a signed or encrypted response body.

I would look at how your client is registered and see if it is asking for a JWT userinfo response at that time, and change it to be a normal JSON response. You could also file an issue detailing your needs for FusionAuth to support this user info response type.

If that isn't an option, you could also look at using a SAML Identity Provider if the remote identity source supports that.

@cameron-chapman,

Typically the best place to get answers for these kinds of questions is our contact form.

Here is a FAQ with some compliance information.

And here's another one, with slightly different but still useful information.

But if you have specific questions, please reach out directly.

You would have to add a hook in your IdP to make an API call to delete the user in FusionAuth. However, because the SoR will no longer have this user, the use will not be able to log in via FusionAuth either unless their password is reset.

We have discussed adding support for SCIM which may provide some of these types of features assuming other IdPs also support this standard. This is on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/106