FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. derjan
    3. Posts
    D
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 5
    • Best 1
    • Controversial 0
    • Groups 0

    Posts made by derjan

    • RE: Password reset always fails with "Your password reset code has expired or is invalid."

      Got the right answer in the Slack channel – I needed to update the theme templates too 🙂

      posted in Q&A
      D
      derjan
    • Password reset always fails with "Your password reset code has expired or is invalid."

      I recently upgraded from an old FusionAuth version around 1.19 to 1.40.2. Because it is a one node installation, I also changed the search from elastic to database (PostgreSQL).
      Everything went smoothly, but since the upgrade the password reset (and the setup password) links always show a "Your password reset code has expired or is invalid" error.

      I've updated the email templates to include the new query params:

      [#setting url_escaping_charset="UTF-8"]
[#assign url = "https://my.fusionauth.url/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
${url}

      which results in an URL looking like this:

      https://my.fusionauth.url/password/change/<some_code>?client_id=<some_id>&tenantId=<some_id>&metaData.device.name=macOS%20Chrome&metaData.device.type=BROWSER&redirect_uri=https%3A%2F%2Fmy.fusionauth.url%2Ftorii%2Fredirect.html&response_type=code&state=<some_state>&timezone=Europe%2FBerlin

      Things I have tried/checked:

      • Updated the email templates (see above)
      • Checked if the clock/time on the FusionAuth server is in sync with NTP
      • Increased the "External identifier durations" for "Change password" and "Setup password" to 24 hours (86400 seconds)
      • Tested with different applications, accounts, browsers, and operating systems
      • Checked the logs (nothing to see there)

      What else could be the reason, and how can I fix this? Any help is appreciated.

      posted in Q&A
      D
      derjan
    • RE: Identity Provider that requires PKCS

      @dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…

      For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968

      posted in Q&A
      D
      derjan
    • RE: Identity Provider that requires PKCS

      @dan Thank you for the quick reply.

      The identity provider is a client's instance of https://www.miniorange.com, and I'm trying to add it in Settings -> Identity Providers -> Add provider -> OpenID Connect.

      posted in Q&A
      D
      derjan
    • Identity Provider that requires PKCS

      I'm trying to integrate an external identity provider that requires the Authorization Code Grand and a PKCE challenge method with S256.

      I added the identity provider to FusionAuth, and the login window correctly shows the "Login with <my provider>" button, but I only get an "code challenge required" error back from this identity provider once I click the button.

      Inspecting the call made to the identity provider I can see that the client_id, redirect_url, response_type and scope query parameters are correctly set, but code_challenge and code_challenge_method are missing (those are required according to the identity provider's documentation).

      Is there a way to enable PKCS for identity providers in FusionAuth?

      posted in Q&A
      D
      derjan