Login with Magic Link?

  • @dan said in Login with Magic Link?:

    You are an admin (you have the admin role in the FusionAuth app) so you should be able to add a redirect URI.

    But I am trying to use the Research Credit Toolkit application. I haven't tried it with the FusionAuth application yet. Anyway I am going to try to record a screen video. I use Screenshot which doesn't have that ability. Can you recommend an app to do the recording with?

  • Notice that when I first login to the control panel (see attached), the Smart Link is not there. Screenshot from 2020-10-06 12-37-07.png

  • Well I almost got it. Here is the screenshot. Notice the invalid URL? I do not have a an SSL Certificate for this laptop. Could this be the issue? Screenshot from 2020-10-06 20-02-22.png

  • Glad to see you're figuring things out.

    https/http shouldn't be a problem. Is there a space at the beginning or end of your url?

  • This post is deleted!

  • OK. Got it in there.
    Screenshot from 2020-10-07 13-03-04.png

    Now, how should I test that this is working OK? My initial plan was to a) add users via the API b) send login message via email c) have users complete login via link in email d) have user hot the Send button to submit the form.

    But now I think i should test step by step. What is next?

  • Heya,

    Are you asking for some free consulting 🙂 ?

    I think testing/writing each of these steps separately is a good idea. Step a should be pretty straightforward, step b doesn't involve fusionauth (I don't think, we do have a welcome email, but that happens when you add the user without any action). step c is your code + a fusionauth API call and step d is your code too.

  • Are you asking for some free consulting 🙂 ?

    No, I can play this "trial and error" game for months :). Seriously though, I am a little concerned that I couldn't enter the URL for quite a few days and then it started working. I just want to be sure that the authorized request origin URL is actually being used. Is there some easy way to test that without using the API?
    Did I mention that I appreciate your help and the T-shirt too?

  • Sounds good 🙂

    If you want to verify it is working:

    • start up your php app
    • add a user in the admin screen
    • register the user for your application
    • go to the list of applications, click on the green magnifying glass next to your application and look for the 'login url'. copy that.
    • open an incognito window
    • paste the url
    • you should be prompted to login. use the username and password of the user you just added
    • you should end up at the redirect URL

    for what to do from there, I'd suggest looking at this code: https://github.com/FusionAuth/fusionauth-example-php-connector/blob/auth-with-oauth/oauth-callback.php#L24 which gets a token.

    You could also start making API calls, as shown in this code: https://github.com/FusionAuth/fusionauth-example-php-webhook/blob/master/webhook.php#L36 (you won't want to make that call, but that's how you'd initialize a client and make calls to, say, update the user's data.

  • OK Dan. I have gotten the email sent and I do show up at the redirect URL. Now I need to get the access token. To do this I need the $provider, which you can see depends on the $clientId and $clientSecret (see below). But if I put these in the application, won't this be a security problem?

    $provider = new \League\OAuth2\Client\Provider\GenericProvider([
    'clientId' => $client_id,
    'clientSecret' => $client_secret,
    'redirectUri' => $redirect_uri,
    'urlAuthorize' => $fa_url.'/oauth2/authorize',
    'urlAccessToken' => $fa_url.'/oauth2/token',
    'urlResourceOwnerDetails' => $fa_url.'/oauth2/userinfo'

    So my question is how do I get an access token inside the redirect URL?

  • But if I put these in the application, won't this be a security problem?

    If you put them in a javascript app, yes. But if they are in the php application only, then it'll be like a database password. Not really a security issue.

    You could also inject them as an environment variable or pull from a secrets manager; however you manage your database credentials, I'd suggest doing the same with the client id/secret.

Log in to reply