There isn't a configuration for hostname. The hostname and protocol is pulled from the requestor, specifically from the X-Forwarded-Proto and X-Forwarded-Host headers. My setup specifically was Cloudflare (https) -> AWS Application Load Balancer (http) -> FusionAuth instance. The ALB didn't pass through the Cloudflare headers, so it always went to http rather than https. Fixed by making the ALB only serve https (which is how it should have been configured to begin with, so this really pointed out a configuration error with our network environment).
Best posts made by alex
-
RE: How do I change the base URL for the server?
Latest posts made by alex
-
RE: Send additional params to identity providers link
@joshua To add on to what @adil was saying, we want to be able to block users signing up for the app unless they have an invite token. The invite token may not have an email address associated with it which matches the login they create (ex. if create a user/register a user with an appleid, the email for the account will be the proxy email apple gives out, not their actual email).
Currently, we are set up so that when a user logs in with an Identity Provider account (ex. Google, Apple, etc) it will autocreate a FusionAuth user account and register that user with our application.
Our initial screen gives the option to enter an invite code or log in, kicking off two flows:
Invite Code Flow
We send the invite code as an additional parameter in the query string to the oauth login page. We can get the parameter and pass it along to the other pages in the login flow by modifying the theme templates. However, if they choose to create an account with one of the IdPs, we lose the identity token when it reverts to a flow controlled by the template (actually, in the current version it doesn't seem to hit the template at all).What we'd like to do is include the invite token in the webhook call back to our main server either when the user account is created or when the registration for that new user account is performed. This would allow us to expire the invite token and associate the FusionAuth user with the invite. The only place available to put custom data seems to be the data section of the user object itself. We can't figure out how to include additional information in the redirect URL, however (we can't populate state, since that's already used for what seems like a CSRF token).
The broader question here is how can we associate our own state with the account creation/registration process such that we're able to pass that state back to either our server (via webhook) or to the client hosting the page (the final redirect fusionauth does back to the main application)?
Login Flow
If the user enters the login page without the invite token, we'd like to prevent logging in with an IdP account from autocreating a user account, registering it with the application, and logging the user in. Alternatively, if we're not able to block account creation under those circumstances, we'd like to be able to determine that the account was created without an invite token (we could do some more complicated logic to remove the account and prevent the user from actually logging in). -
RE: Cannot set user.username from Google reconciliation lambda
@joshua In turn:
Logs
I do see some entries in the log files, though I have no idea whether I'm seeing everything I should. There are some info level messages from startup, and after that I'm only seeing ERROR level, ex.:--------------------------------------------------------------------------------------------------------- --------------------------------- Starting FusionAuth version [1.29.0] ---------------------------------- --------------------------------------------------------------------------------------------------------- 2021-08-20 6:06:55.435 PM INFO io.fusionauth.api.plugin.guice.PluginModule - No plugins found 2021-08-20 6:06:55.902 PM INFO io.fusionauth.api.service.system.NodeService - Node [c3c92207-821a-436e-abdb-0768499f491e] started. 2021-08-20 6:06:57.092 PM INFO io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Loading FusionAuth configuration file [/usr/local/fusionauth/config/fusionauth.properties] 2021-08-20 6:06:57.093 PM INFO io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Dynamically set property [fusionauth-app.url] set to [http://10.0.3.205:9011] 2021-08-20 6:06:57.093 PM INFO com.inversoft.configuration.BasePropertiesFileInversoftConfiguration - - Overriding default value of property [database.mysql.enforce-utf8mb4] with value [true] - Overriding default value of property [database.mysql.connector-version] with value [8.0.21] - Overriding default value of property [fusionauth-app.runtime-mode] with value [development] - Overriding default value of property [search.type] with value [database] 2021-08-20 6:06:57.099 PM INFO com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://fusionauthdb.cluster-coqfhgx4e2sj.us-east-1.rds.amazonaws.com:5432/fusionauthdb] 2021-08-20 6:06:57.101 PM WARN com.zaxxer.hikari.HikariConfig - HikariPool-1 - idleTimeout has been set but has no effect because the pool is operating as a fixed size pool. 2021-08-20 6:06:57.106 PM INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting... 2021-08-20 6:06:57.245 PM INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed. 2021-08-20 6:06:59.512 PM INFO com.inversoft.scheduler.DefaultScheduler - Starting up scheduler 2021-08-20 6:06:59.513 PM INFO com.inversoft.scheduler.DefaultScheduler - Scheduler is running 2021-08-20 6:07:01.488 PM INFO io.fusionauth.api.service.system.NodeService - Node [c3c92207-821a-436e-abdb-0768499f491e] added with address [http://10.0.3.205:9011] 2021-08-20 6:07:01.556 PM INFO io.fusionauth.api.service.system.NodeService - Node [c3c92207-821a-436e-abdb-0768499f491e] promoted to master at [2021-08-20T18:07:01.556806Z], the previous master Node [f628dd78-ba19-46dd-8950-b0da92f35bd5] has been shutdown or removed
I don't see any info messages from the lambda function at the beginning of this chain (although, as mentioned, I have verified that the lambda is being called by customizing the user.fullname to something not in the default handler.
Paid edition
Yes, I have a paid edition, specifically in order to be able to get unique usernames.Unique Usernames
Although I'm using e-mail as the mapping key for the google authenticator, what I want it to do is also generate a unique username. In our application, we have links to user profiles, so we need a unique username (putting an e-mail address in the url is, well, I'm sure I don't need to enumerate all the reasons why that would be bad). What I would have expected is that since I've set it to require unique usernames and there's an autogeneration strategy set to disambiguate usernames, that If I set the username on the way in from the google connector, it would disambiguate as necessary (since my assumption would have been that the validation was downstream from all entry points, whether html forms for the self-service pages or registration via another identity provider.What I'd really like to be able to do is the following:
- The user account is uniquely identified by a username.
- When a user first logs in using an outside identifier, the usename is created based on one or more of the fields (my choice, per identity provider), and if that username is taken, it appends some random numbers according to the disambiguation strategy already present in the configuration.
- the user can add an alternate identity provider with a different e-mail address linked to the same username only when logged into the original account.
- The user can merge accounts (including all application specific data) by requesting a merge. The requested-of account would receive an e-mail notification asking permission to merge, which would be valid for a short/customizable period of time.
However, since there doesn't seem to be a way to customize how the username is generated, and since google doesn't provide a username via whatever field you're mapping it to, it seems like that's not going to be possible.
Have I got that right?
-
RE: Cannot set user.username from Google reconciliation lambda
OK, so based on the the information posted in response to #1356, there's no real way to do what I was looking to do, unless a webhook is fired after the db transaction completes (I was thinking I could receive notification of user creation via webhook, make an api call to set the username, but that won't work if the transaction isn't already committed. It also sounds like the lambda is being fired after validation checks have been run, which is an odd design decision.
I'd still like to know why turning on debug logs isn't working for the lambda.
-
RE: Cannot set user.username from Google reconciliation lambda
@dan I am a paid client. My tenant settings are as follows:
My application settings include the following:
When I log in for the first time using a google account, FusionAuth creates a user and a registration, and populates user.firstName, user.lastName, user.FullName, and user.imageUrl. However, it does not create a username (shows in the user console as - ). What I'd like to have happen is that it will create a default username of fistname+lastname, and if that username is already taken, it will automatically append a -### where the ### is chosen randomly, which looks like what should happen based on the tenant settings above. Instead, though, it doesn't create any username at all. The lambda function was an attempt to set the username manually, assuming that the rules for disambiguating duplicate usernames would kick in if it were populated. I can't debug what might be causing the problem (ex. I'm populating the wrong object property) since, although debugging is turned on for the lambda function, the console log statements are not being printed to the logs. -
RE: Cannot set user.username from Google reconciliation lambda
I need to be able to ensure that the application has a unique username for every user. I can munge it together by setting the username to be required as part of the registration form, but when logging in using a google account, this means that it's an extra required step, and all I need is the the firstname+lastname+an optional disambiguator (which would seem to be supported based on the configuration parameter). It's really frustrating that the debug logging doesn't work, and that I can't set the user's username. It would also be nice if I could use a lambda to set the registration username. I thought about using a webhook also (since that has a registration hook) and calling back to the API to set the username, but I'm assuming I can't do that since the registration hasn't finished being created at the time the webhook has been called.
-
Cannot set user.username from Google reconciliation lambda
I've modified the default google reconciliation lambda to add a default username:
// This is the default Google reconcile, modify this to your liking. function reconcile(user, registration, idToken) { // Un-comment this line to see the idToken object printed to the event log // console.info(JSON.stringify(idToken, null, 2)); // The idToken is the response from the tokeninfo endpoint // https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint console.info('Google User Object-------------------------'); console.info(JSON.stringify(idToken, null, 2)); user.firstName = idToken.given_name; user.lastName = idToken.family_name; user.fullName = idToken.name+"(really)"; user.username = user.firstName; user.userName = user.lastName; user.imageUrl = idToken.picture; console.info('User Object-------------------------'); console.info(JSON.stringify(user, null, 2)); console.info('Registration Object-------------------------'); console.info(JSON.stringify(registration, null, 2));
I've set it up so that if a user does not already exist for the application and they log in with a google login, the user will be created and a registration for the application will be created. the user is created but the username is not set for either the user or the application registration.
I'm assuming that if I can set the user username, it will carry through to the registration, and if there is already a username for another user, it will add random numbers per the configuration for the application.
However, the reconciliation lambda doesn't add the username, and although debugging is turned on for the lambda, the console.info lines in the lambda don't appear in the logs (I've tried modifying the fullname just to verify that this is the lambda that is being hit, and it is).
Please assist!
-
RE: How do I change the base URL for the server?
There isn't a configuration for hostname. The hostname and protocol is pulled from the requestor, specifically from the X-Forwarded-Proto and X-Forwarded-Host headers. My setup specifically was Cloudflare (https) -> AWS Application Load Balancer (http) -> FusionAuth instance. The ALB didn't pass through the Cloudflare headers, so it always went to http rather than https. Fixed by making the ALB only serve https (which is how it should have been configured to begin with, so this really pointed out a configuration error with our network environment).
-
How do I change the base URL for the server?
I originally entered http://auth.mydomain.com in the setup wizard, but need it to be https://auth.mydomain.com (I have google as a SAML provider, and it won't accept a non https ACS url). The base URL doesn't seem to be set in the configuration properties, and I'm not it in any of the likely tables (I'm self-hosting).
I'd prefer not to blow away the entire configuration. Anyone know how I can change the url?