Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. Tags
    3. oidc
    Log in to post
    • All categories
    • D

      UNSOLVED Fusionauth integrattion with kubeoidc proxy
      Q&A • kubernetes fusionauth oidc • • divneetsingh.m

      2
      0
      Votes
      2
      Posts
      61
      Views

      dan

      @divneetsingh-m

      Is this what you are talking about? https://github.com/jetstack/kube-oidc-proxy

      Where are you not able to see the role? Have you confirmed the role is in the FusionAuth generated JWT?

    • dan

      Limit login for SAML and OIDC to a given email domain
      Q&A • domain limits sso saml oidc • • dan

      2
      0
      Votes
      2
      Posts
      51
      Views

      dan

      Use the managed domains feature. From the docs:

      Adding one or more managed domains for this configuration will cause this provider not to be displayed as a button on your login page. Instead of a button the login form will first ask the user for their email address. If the user’s email address matches one of the configured domains the user will then be redirected to this login provider to complete authentication. If the user’s email address does not match one of the configured domains, the user will be prompted for a password and they will be authenticated using FusionAuth.

      Documentation:

      https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/

      https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/

    • T

      Lambda reconcile does not remove role from registration
      Q&A • azure lambda oidc reconcile registration • • tl+fa

      12
      0
      Votes
      12
      Posts
      252
      Views

      joshua

      Hi @tl-fa,

      You can view our Roadmap Guidance regarding how features are implemented into FusionAuth. A good snapshot of current development can be found here as well.

      We will certainly update any related issue cards as development moves forward!

      Thanks!
      Josh

    • E

      Using Slack as Identity Provider with OpenID for Federated Identity Management with Aspnet Core App
      Q&A • external identity oidc idp federation • • etienne.lorthoy

      3
      0
      Votes
      3
      Posts
      459
      Views

      E

      We've managed to get "Sign in with Slack" to work using the following settings:

      Client authentication: Request body (client_secret_post)
      Authorization endpoint: https://slack.com/openid/connect/authorize
      Token endpoint: https://slack.com/api/openid.connect.token
      Userinfo endpoint: https://slack.com/api/openid.connect.userInfo
      Scope: openid email profile
      Linking strategy: Link on email. Create the user if they do not exist.
      Reconcile lambda: Default OpenID Connect Reconcile provided by FusionAuth

    • dan

      Getting error with OIDC identity provider
      Q&A • oidc jwt userinfo • • dan

      2
      0
      Votes
      2
      Posts
      69
      Views

      dan

      That is an encoded (signed) JWT being sent in response to the user info request that the FusionAuth OIDC identity provider is making.

      This is technically allowed in the OIDC spec, but we do not currently support this response type.

      Per spec, the endpoint should support a JSON response which is the default unless the client requests a signed or encrypted response body.

      I would look at how your client is registered and see if it is asking for a JWT userinfo response at that time, and change it to be a normal JSON response. You could also file an issue detailing your needs for FusionAuth to support this user info response type.

      If that isn't an option, you could also look at using a SAML Identity Provider if the remote identity source supports that.

    • dan

      SAML2 or OIDC?
      Q&A • saml oidc • • dan

      2
      0
      Votes
      2
      Posts
      51
      Views

      dan

      While FusionAuth supports both well, if you have the option to use SAMl v2 or OIDC, I would always recommend OIDC.

      In general, it is much much simpler to use, debug, configure, etc.

    • dan

      Modifying the issuer claim
      Q&A • issuer claims oidc • • dan

      2
      0
      Votes
      2
      Posts
      233
      Views

      dan

      It sounds like you're asking if you can modify the issuer claim.

      You can control the "Issuer", or iss claim, in two different ways:

      You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be login.example.com. You can set it at the individual JWT level by modifying the JWT populate lambda. You would do this if you wanted to have a different issuer based on some information from the user or registration data. (This does not appear to be the case here, just including this for completeness.)

      I'm not clear if you have more than one tenant in your system; if you do, you can either change the "Issuer" setting for the default tenant (which is what is provided when no tenantId is on the URL) or request the endpoint with a tenantId appended, like this:

      https://login.example.com/.well-known/openid-configuration?tenantId=<tenantid>

    • dan

      Passwordless login and the OIDC workflow
      Q&A • passwordless oidc • • dan

      2
      0
      Votes
      2
      Posts
      164
      Views

      dan

      That should work ok. The only reason not to do it this way - is because you’re sort of emulating the OAuth frontend’s usage of this API which in theory is subject to change.

      Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.

    • dan

      OIDC with Azure AD
      Q&A • azure oidc • • dan

      2
      0
      Votes
      2
      Posts
      105
      Views

      dan

      We have users that have been successful in configuring with AD v2. We have not yet tested or updated the documentation.

      This may be helpful. https://github.com/FusionAuth/fusionauth-issues/issues/855

    • dan

      Different JWT expiration times based on how they are generated
      Q&A • jwt expiration api oidc • • dan

      2
      0
      Votes
      2
      Posts
      73
      Views

      dan

      The JWT TTL can be configured per application, so if you were using a different application for OIDC vs an API - then you could do it.

      But if you don't want to use multiple applications, then it is not possible, at least currently.

      I could see a use case for asking for a JWT with a TTL equal to or less than the configuration and that request being honored, that could be a feature request. But as of right now, the only option is different applications.

    • dan

      Can I get the OAuth/OIDC endpoints for an application via the API?
      Q&A • oauth oidc endpoint api • • dan

      2
      0
      Votes
      2
      Posts
      58
      Views

      dan

      These are generated in the UI. So the values are not available from the API.

      However you can derive them yourself as well. We just take the URL + /oauth2/authorize?... + redirect_uri etc.

    • M

      Clarification on OAuth/OIDC logout endpoint
      Q&A • oauth oidc logout • • Moonshine

      4
      0
      Votes
      4
      Posts
      249
      Views

      M

      Yea, that flexibility would be ideal IMO, although the registeredLogoutURLs should be workable for us at this point. FWIW that is actually the behavior I assumed before digging into the docs. I'll definitely add the issue to GitHub, as I think it's probably part of the path to getting OIDC Certification which appears to already have an issue.

      Thanks!

    • dan

      Is FusionAuth both an OIDC Relying Party and and Identity Provider?
      Q&A • faq oidc standards • • dan

      1
      0
      Votes
      1
      Posts
      68
      Views

      No one has replied