It's a subtle difference, but one-time use refers to the value of the refresh token, which you use against the /oauth2/token endpoint to get a new access token via the refresh grant.

A sliding window refers to the refresh token itself, which has a unique id which stays the same, even as the value of the refresh token changes.

So if you had a refresh token with a lifetime of 4 hours, a sliding window and one time use configured, you might end up with something like this:

at creation: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value RNhY5yE39t1o2FXKxgyH, lifetime 4 hours when the RT is presented to the /oauth2/token endpoint 3 hours after creation: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value Fh95KZLfSMjMNxpR5B4c, lifetime 4 more hours when the RT is presented to the /oauth2/token endpoint 3 hours later: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value baHneP4s0hBHPEk88GPC, lifetime 4 more hours

More details here: https://github.com/FusionAuth/fusionauth-issues/issues/2925

Reproduction steps:

Go to Application page Click on add symbol (+) Fill in fields: name: test tenant: <any> OAuth tab -> Authorized redirect URLs: https://example.com/v2/oauth OAuth tab -> Logout URL: https://example.com/logout Click on save symbol

Note: This is all arbitrary data in these fields. I'm finding that it I need to fill in the "name" and "tenant" fields first, save the application and then go back in to enter the OAuth details.

@mark-robustelli it was my fault, it turned out someone in the team created a lambda operation that was running which changes the user's data as soon as the user signs up which overrides the initial data.

Thanks for your reply though.

@jw-0 said in React SDK example - nothing in the userInfo but tid and sub:

I'm sure I'm doing something stupid here but I can't work out what I haven't done.

I am using the changebank React SDK example as my test harness, using the community version of FusionAuth for now, hosted under docker
I've created a new tenant, a new app and then a new user.
I can login using this new user into the app but the userInfo structure has nothing in it other the the use sub and the tid.

Config is below

const config: FusionAuthProviderConfig = {
clientId: "31067471-23fc-4634-afa9-c049ff4f0a86",
redirectUri: "http://localhost:5173", slope run

serverUrl: "http://localhost:9011/",
shouldAutoFetchUserInfo: true,
shouldAutoRefresh: true,
onRedirect: (state?: string) => {
console.log(Redirect happened with state value: ${state}"});
}
};

Example code is:
In main.tsx
const { isLoggedIn, isFetchingUserInfo, userInfo } = useFusionAuth();

In the AccountPage.tsx I have:

<p>tid {userInfo?.tid}</p> <p>sub {userInfo?.sub}</p> <p>roles {userInfo?.roles}</p> <p>email {userInfo?.email}</p>

The roles and email fields are always null

Any ideas?

In FusionAuth, ensure that the user claims are set up correctly. Go to the tenant settings and check the "User Claims" section to confirm that the necessary claims (like email, name, etc.) are included. Make sure that your application is requesting the correct scopes during the authentication process. Common scopes include openid, profile, and email. Verify that these scopes are included in your authentication request. Review the ChangeBank React SDK example to ensure it correctly handles the userInfo endpoint. There may be specific configurations or API calls that need to be made to retrieve additional user data.

Duplicate post

@mark-robustelli Sure,Thanks!
If you find anything please let me know

@peanutsunless glad this was useful for you!

Here's the PR making the doc better:

https://github.com/FusionAuth/fusionauth-site/pull/3371

@celiaruby127

Also, sorry for my late reply, I saw just now that I had to activate notifications.

@sunita65rwt What kind of integration are you working on? Can you narrow down your request in terms of what you are trying to accomplish? What frameworks are you working with? If you can clarify a bit, it may be easier to help.

@aman-c Have you been able to follow the Next.js quickstart?

Not the best way of doing that but found that you could inject some stuff in metaData.device.name

<input type="hidden" name="metaData.device.name" value="_${request.getParameter('someparam')}" />

I can later retrieve it and parse it and assign it

[#assign someparam=request.getParameter("metaData.device.name")?split("_")?last]

Another option that works as of today is to set up a tenant to tenant connector.

Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

Change your app to send everyone to a new application in the new tenant.

When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

This slow migration takes time, but is another option.

@dan Thanks for this. I've tried your suggestion but the result isn't very pretty. Freemarker templates are a new one on me and once I dig into the default templates, when creating a new advanced theme, it's quite complex enough to begin with!

I am usually the type to prefer more customisation than less but maybe there could be a couple of "cookbooks" or example templates somewhere? It's nice to see some visual examples in the docs but without knowing how to get there, it's a little disheartening.

Hi @jamesbaxter . Sorry, just saw this now. I don't have the example app available. Sorry!

Oh, it's still an open bug - https://github.com/FusionAuth/fusionauth-issues/issues/2574. I'll ask there.

@tschlegel There are differences between the database search engine and using open search. Some of the searches are more limited with the database search engine.

"If you don’t need advanced searching capabilities, you may be able to use the database search engine for large installations. This is not a use case FusionAuth tests, so ensure you provision your database with enough resources and benchmark your typical use cases."

@olivier-rochon Would you be able to provide a little more detail? Does the error always occur or do you get that message only when an error occurs?