FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Tags
    3. oidc
    Log in to post
    • All categories
    • D

      Unsolved Fusionauth integrattion with kubeoidc proxy

      Q&A
      • kubernetes fusionauth oidc • • divneetsingh.m
      4
      0
      Votes
      4
      Posts
      1.6k
      Views

      A

      Proxy servers can store cached copies of sites. You will get the data from the proxy when you access a particular location.

    • danD

      Limit login for SAML and OIDC to a given email domain

      Q&A
      • domain limits sso saml oidc • • dan
      2
      0
      Votes
      2
      Posts
      945
      Views

      danD

      Use the managed domains feature. From the docs:

      Adding one or more managed domains for this configuration will cause this provider not to be displayed as a button on your login page. Instead of a button the login form will first ask the user for their email address. If the user’s email address matches one of the configured domains the user will then be redirected to this login provider to complete authentication. If the user’s email address does not match one of the configured domains, the user will be prompted for a password and they will be authenticated using FusionAuth.

      Documentation:

      https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/

      https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/

    • T

      Lambda reconcile does not remove role from registration

      Q&A
      • azure lambda oidc reconcile registration • • tl+fa
      12
      0
      Votes
      12
      Posts
      5.2k
      Views

      joshuaJ

      Hi @tl-fa,

      You can view our Roadmap Guidance regarding how features are implemented into FusionAuth. A good snapshot of current development can be found here as well.

      We will certainly update any related issue cards as development moves forward!

      Thanks!
      Josh

    • E

      Using Slack as Identity Provider with OpenID for Federated Identity Management with Aspnet Core App

      Q&A
      • external identity oidc idp federation • • etienne.lorthoy
      4
      0
      Votes
      4
      Posts
      2.4k
      Views

      danD

      @eirikur That is awesome, thanks so much for sharing your settings.

    • danD

      Getting error with OIDC identity provider

      Q&A
      • oidc jwt userinfo • • dan
      2
      0
      Votes
      2
      Posts
      1.6k
      Views

      danD

      That is an encoded (signed) JWT being sent in response to the user info request that the FusionAuth OIDC identity provider is making.

      This is technically allowed in the OIDC spec, but we do not currently support this response type.

      Per spec, the endpoint should support a JSON response which is the default unless the client requests a signed or encrypted response body.

      I would look at how your client is registered and see if it is asking for a JWT userinfo response at that time, and change it to be a normal JSON response. You could also file an issue detailing your needs for FusionAuth to support this user info response type.

      If that isn't an option, you could also look at using a SAML Identity Provider if the remote identity source supports that.

    • danD

      SAML2 or OIDC?

      Q&A
      • saml oidc • • dan
      2
      0
      Votes
      2
      Posts
      1.4k
      Views

      danD

      While FusionAuth supports both well, if you have the option to use SAMl v2 or OIDC, I would always recommend OIDC.

      In general, it is much much simpler to use, debug, configure, etc.

    • danD

      Modifying the issuer claim

      Q&A
      • issuer claims oidc • • dan
      2
      0
      Votes
      2
      Posts
      3.8k
      Views

      danD

      It sounds like you're asking if you can modify the issuer claim.

      You can control the "Issuer", or iss claim, in two different ways:

      You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be login.example.com. You can set it at the individual JWT level by modifying the JWT populate lambda. You would do this if you wanted to have a different issuer based on some information from the user or registration data. (This does not appear to be the case here, just including this for completeness.)

      I'm not clear if you have more than one tenant in your system; if you do, you can either change the "Issuer" setting for the default tenant (which is what is provided when no tenantId is on the URL) or request the endpoint with a tenantId appended, like this:

      https://login.example.com/.well-known/openid-configuration?tenantId=<tenantid>

    • danD

      Passwordless login and the OIDC workflow

      Q&A
      • passwordless oidc • • dan
      2
      0
      Votes
      2
      Posts
      1.1k
      Views

      danD

      That should work ok. The only reason not to do it this way - is because you’re sort of emulating the OAuth frontend’s usage of this API which in theory is subject to change.

      Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.

    • danD

      OIDC with Azure AD

      Q&A
      • azure oidc • • dan
      2
      0
      Votes
      2
      Posts
      1.3k
      Views

      danD

      We have users that have been successful in configuring with AD v2. We have not yet tested or updated the documentation.

      This may be helpful. https://github.com/FusionAuth/fusionauth-issues/issues/855

    • danD

      Different JWT expiration times based on how they are generated

      Q&A
      • jwt expiration api oidc • • dan
      2
      0
      Votes
      2
      Posts
      2.9k
      Views

      danD

      The JWT TTL can be configured per application, so if you were using a different application for OIDC vs an API - then you could do it.

      But if you don't want to use multiple applications, then it is not possible, at least currently.

      I could see a use case for asking for a JWT with a TTL equal to or less than the configuration and that request being honored, that could be a feature request. But as of right now, the only option is different applications.

    • danD

      Can I get the OAuth/OIDC endpoints for an application via the API?

      Q&A
      • oauth oidc endpoint api • • dan
      2
      0
      Votes
      2
      Posts
      2.2k
      Views

      danD

      These are generated in the UI. So the values are not available from the API.

      However you can derive them yourself as well. We just take the URL + /oauth2/authorize?... + redirect_uri etc.

    • M

      Clarification on OAuth/OIDC logout endpoint

      Q&A
      • oauth oidc logout • • Moonshine
      4
      0
      Votes
      4
      Posts
      4.1k
      Views

      M

      Yea, that flexibility would be ideal IMO, although the registeredLogoutURLs should be workable for us at this point. FWIW that is actually the behavior I assumed before digging into the docs. I'll definitely add the issue to GitHub, as I think it's probably part of the path to getting OIDC Certification which appears to already have an issue.

      Thanks!

    • danD

      Is FusionAuth both an OIDC Relying Party and and Identity Provider?

      Q&A
      • faq oidc standards • • dan
      2
      0
      Votes
      2
      Posts
      3.3k
      Views

      H

      @dan
      I faced similar kind of issue last time, I am still searching for some proper solution.