RE: Implementing GitHub-like "Personal Access Tokens"

@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

@kiouplidis I found this in the documentation.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

In FusionAuth, you can add custom data to the oauth2/userinfo endpoint response using a Lambda function. This function can add extra claims to the UserInfo response. Here's an example of a simple Lambda function that adds a few extra claims:

function populate(userInfo, user, registration, jwt) {
  // Add a new claim named 'favoriteColor' from a custom data attribute on the user
  userInfo.favoriteColor = user.data.favoriteColor;
  // Add a new claim named 'dept' using a custom data attribute on the registration
  userInfo.dept = registration.data.departmentName;
  // Copy a claim named 'applicationId' from the provided JWT
  userInfo.applicationId = jwt.applicationId;
  // Create an event log of type 'Debug' when the lambda has Debug enabled
  console.debug('Added custom claims to the UserInfo response');
}

In this example, the favoriteColor and dept are custom claims added to the UserInfo response. These claims are derived from the custom data attributes on the user and registration respectively.
Please note that the Lambda function needs to be assigned to an application in FusionAuth for it to take effect.

Hello @yuval,
I'm not very familiar with Salesforce but when taking a look at the guide there is a step that says "Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.". What do you see when you try that?

If you are not getting that information, can you please describe in a little more detail what steps you have taken and when you receive the above message about the invalid iss?

I am running through the Integrate Your .NET 7 Application With FusionAuth quickstart guide and encountered the error listed below.

I think it has to do with following message in the guide:
The script set up a RS256 asymmetric signing key. FusionAuth supports this signing algorithm, but doesn't ship with a default key.

How do I add the required key to FusionAuth?

Error Message:
An unhandled exception occurred while processing the request.
SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '236bb45e-e88c-4f07-87ff-c93d6fb752a2'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"236cc45e-e88c-4f07-87ff-c93d6fb752a2"}.{"aud":"236bb45e-e88c-4f07-87ff-c93d6fb752a2","exp":1687312521,"iat":1687308921,"iss":"acme.com","sub":"e5e4a956-0f9d-4bec-9121-dededb20e00f","jti":"ca5d3d30-ef26-4e48-afcb-d5ba670ac2d4","authenticationType":"PING","email":"myemail@email.com","email_verified":true,"at_hash":"ANWNkB4EA34d0cr1A50zQg","c_hash":"eCEeL-bgcDFkzcpmNT5k9g","scope":"openid profile","nonce":"634229057201762476.ZDQ1NzEzZWMtM2M4OS00ODgxLWI3ZmEtNjJhZWY0MzhlOWYzN2I4ODdhNmQtYTI2OS00OTc0LThhOWEtYzc2OGEzYmIzN2M3","sid":"4fe9dcc0-1ce9-4819-a97a-47c38cb730b8","auth_time":1687308921,"tid":"a51e69f7-520b-6860-2d33-d1e12f797af9"}'.

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

What is the best way for analytics tracking after a user has successfully registered?

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

Does FustionAuth support multi-region active-active set-up for cloud services?

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

@sandesh Thanks for sharing her on the forum. Hope you are able to accomplish your end goal with the APIs.

@chee Who are your DNS records with? Are those configured correctly?

@netstack hmm, Did I read this part correctly?

I tried the same with re-generating and adjusting the URL's directly at the application. But still the URL's remain unchanged.

Does this mean that even when you update the urls in the application, the change does not take. Or the change takes, but still does not work?

Would it be possible for you to send a screen shot of your config? Please be sure to redact any sensitive info before posting.

@chee Thanks for the details. It looks like you have it mostly configured correctly. In the error message, I see: 'Host header: onemeta-dev.routing.fusionauth.io'. That seems a bit off. Where is the onemeta-dev configured?

@netstack , Adjusting the issuer URL at the Tenant level will not update the Applications URLs. If you have many applications and plan to change often, you can use the APIs to make sure all the applications get updated appropriately.

Please check out this as well:

After modifying the Tenant issuer, you should also update the JWT configuration for your applications:
Navigate to "Applications" in the admin UI.
Click on the edit icon for the application you want to update.
Go to the "JWT" tab.
Change both "Access token signing key" and "Id token signing key" to "Auto generate a new key on save...".
Save the application.
It's important to note that you must create new keys after modifying the Tenant because the Issuer field is embedded in the key.

@pc Was anything changed before the reboot? What prompted the reboot?

@cristian I asked around a bit, and unfortunately I don't have a great answer for you. I think this information about FusionAuth SSO just confirms what you already know.

On a slightly brighter note, someone helped me find this open GH Issue that you should probably follow that might help down the road.

In the meantime, does anyone have any other advice or suggestions for @cristian?

I just took another look and jwt.aud may get you what you need in both instances as well.

@mcad-pha Depending on your situation, there may be a few options.

If you assign the Lambda to the Access Token Populate lambda for the application, you can access the applicationId using jwt.applicationId. This would give you 1 function you could share across the applications if it works for you.

• If you assign the same lambda to the Id Token Populate lambda, you will get undefined.

If that does not work you may be able to use the fetch command in the Lambda. This would allow you to create a single function and have each of the applications call it, passing in the applicationId. This is only available in an Essentials or Enterprise plan.

• Reminder: If you have a paid plan, also remember you can access support through the Customer Account Portal as they may be quicker to respond.

@paul-1 Is it possible that the your code (i.e. //lots of code) is taking too long to process? Can you try to take out most of the code and see if that prevents the time out?

As far as the "testing" goes, it seems odd that there is different data. Have you tried to capture the data actually sent vs what you are testing with and see if there is a difference?

@megharaj-khalate Can you please provide a little more detail in how you are adding users to FusionAuth? Have you checked the FusionAuth logs to see if there are any clues there?