RE: What is the relationship between Tenants, SCIM Entity Types, and SCIM Entities?

@mark-robustelli Thanks. I'm configuring a single SCIM tenant with a client. I want to understand why tenants use entity types instead of entities, and how the permissions relate, so I can document it.

To create a User in a Tenant with SCIM, you have to create a client and server entity, and enable SCIM for the Tenant linked to the SCIM Entity Type, not to the SCIM Entity.

How exactly does this work? Why is there no relationship between the entity and the tenant? I could have multiple SCIM server and client entities, with different permissions, but the Tenant ignores all that and considers only the default SCIM Entity Type when allowing you to create or delete a user.

Also, why doesn't FusionAuth expose the default signing key, HS256, at http://localhost:9011/.well-known/jwks.json?

Because it doesn't, you haven't to change all machine oauth to use a custom key, otherwise access tokens can't be verified manually, in addition to not being verifiable using the introspection endpoint.

If you call the access token verification endpoint (https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/endpoints#introspect), it responds successfully if you include as credentials the client id and client secret of the Entity that requested that access token from FusionAuth originally.

If you instead try to verify the token with another Entity's client id and client secret, you receive a 401 error (unauthorized).

But the whole point of having a verification endpoint is for a server to validate the token received from a client - and the server obviously won't have the client's secret. Since the server doesn't have the client secret, how is it supposed to validate a token using any secret other than the server's own secret? Is this an error in the permissions of the endpoint of FusionAuth? Otherwise I don't understand how a server can call this endpoint.

Thanks.

Oh, it's still an open bug - https://github.com/FusionAuth/fusionauth-issues/issues/2574. I'll ask there.

I've successfully linked a FA user to a Google user with the identity provider API, and the link API, but the forum post this article is based on said They'll also have a link that is accessible via the Link API. That link will contain the refresh token in the token field.

However, calling https://fusionauth.io/docs/apis/identity-providers/links#retrieve-a-link, gets the JSON below, containing NO access token for Google. Now I'm completely stuck, please advise:

    data: {
          identityProviderLink: {
            displayName: 'richard@ritza.co',
            identityProviderId: '26481189-e3f7-433f-804b-9643a025806a',
            identityProviderName: 'fago',
            identityProviderType: 'OpenIDConnect',
            identityProviderUserId: '110494278199559678180',
            insertInstant: 1729762805435,
            lastLoginInstant: 1729762805435,
            tenantId: 'd7d09513-a3f5-401c-9685-34ab6c552453',
            token: '',
            userId: '00000000-0000-0000-0000-111111111111'
          }

Here's my current code:

<a href="https://accounts.google.com/o/oauth2/v2/auth?client_id=535042435541-eridnie9d09pa69dsq1hh066ushvp4e0.apps.googleusercontent.com&redirect_uri=http://localhost:3000/fago&response_type=code&scope=openid%20email%20profile%20https://www.googleapis.com/auth/contacts.readonly&state=STATE">

router.get("/fago", async function (req, res, next) {
  console.log("IN FAGO");
  try {
    if (req.query.state != "STATE") {
      throw new Error(
        "State anti-forgery token returned from Google does not match token sent",
      );
    }
    const params = {
      applicationId: "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e",
      identityProviderId: "26481189-e3f7-433f-804b-9643a025806a",
      data: {
        code: req.query.code,
        redirect_uri: "http://localhost:3000/fago",
      },
    };
    const url =
      "http://localhost:9011/api/identity-provider/login?idp_hint=26481189-e3f7-433f-804b-9643a025806a";
    const results = await axios.post(url, params);
    console.dir(params.data.code);
    console.dir(results.status + " " + results.statusText);
    console.dir(results.data);
    res.redirect("/account");
  } catch (error) {
    next(error);
  }
});

I'm being returned by FusionAuth status code 232 (which I can't find a meaning for anywhere), and the only field in data is pendingIdPLinkId. I don't know how to get a Google Calendar access token from this.

Hi, I'm writing an article on getting a user's Google contacts in a web app, via FusionAuth (FA), based on these two conversations:

• https://fusionauth.io/community/forum/topic/2659/access-google-calendars-of-multiple-google-accounts-with-user-permission/2
• https://fusionauth.io/community/forum/topic/2569/how-do-i-call-a-google-api-or-retrieve-the-google-credentials

"The brief says "that button uses the identity provider login OIDC API to complete the login. That is, the dev starts the OIDC process but FA completes it and holds the token. After the user connects Google, the application then calls into FA to get the refresh token. Then it can call the Google API to get the contacts"

There are some parts I'm confused about. Please clarify the best approach if you can:

1. I assume the user logs in to the app with FA with a username like richard@example.com, but connects to Google with an email like richard@gmail.com. So the user is not logging in to FA with Google at first. If I'm wrong, please let me know.
2. What benefit does the app getting Google contacts with FA have? Why shouldn't the app call Google directly through their API, or with custom code?
3. I assume the app will log the user in to Google by calling https://fusionauth.io/docs/apis/identity-providers/openid-connect#complete-an-openid-connect-login, with a linking strategy in the OpenId provider created in settings of "Pending Link". The Response of this API is a User object. But shouldn't it return a Google token? How do we use a User object to call Google here? Also, this doesn't seem like the app "starting" the OIDC process, it seems like FA does all of it. Have I picked the wrong API call? How do we link the current FA user to their Google email?
4. As I understand Google sign in, you have to use a snippet of Google JS in your app, which shows a UI form to the user. Which you can't do if calling an API programmatically only. What am I misunderstanding here?
5. "calls into FA to get the refresh token" - Which API allows this, and what parameters should be passed in?

Thanks.

PS. I wanted to my improve my knowledge of OAuth significantly for this article, but the "form" on this page to get your ebooks is just a grey line I can't interact with - https://fusionauth.io/ebooks/modern-guide-to-oauth

---

UPDATE WHILE WAITING FOR FORUM APPROVAL:

• I added an href in my app pointing to https://accounts.google.com/o/oauth2/v2/auth?client_id=535042435541-eridnie9d09pa69dsq1hh066ushvp4e0.apps.googleusercontent.com&redirect_uri=http://localhost:9011/api/identity-provider/login&response_type=code&scope=openid%20email%20profile%20https://www.googleapis.com/auth/contacts.readonly&state=STATE&idp_hint=26481189-e3f7-433f-804b-9643a025806a. That successfully directs the user to google, gets consent for contacts, and redirects the user back to http://localhost:9011/api/identity-provider/login?state=STATE&code=4/0AVG7fiTXd3CnD-ff3ga7Zs5BXgHoUbvnPw&scope=email%20profile%20https://www.googleapis.com/auth/contacts.readonly%20openid%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&authuser=1&hd=ritza.co&prompt=consent. That doesn't seem to do anything though. I realised I'm supposed to redirect the user back to the app, then call the FusionAuth API from the server. Making progress here slowly...

@dan Oh I see. The error in the response says:

"because it was missing a unique id in the [user.id] or enough information to store in FusionAuth (i.e. an email or username)"

In other words, "either Id or email" is missing from your request. Which makes boolean sense when thinking about it carefully.

But when first reading it, I though it meant "you need either Id or email", which is very different. I supplied one of those. I though that was what the "or" meant.

This error could be better as:

"because it was missing a unique id in the [user.id] or enough information to store in FusionAuth (i.e. an email or username). Both are necessary"

I think this might be a bug.

I made a web service for a Connector that returned:

return response.status(200).json({
    user: {
        'id': '647978c5-01a0-49b8-8f4f-daab25e7ce63',
        'password': 'password',
        'active': true
    }
});

FusionAuth System Event Log said I hadn't given it a unique id, which is not true:

Generic Connector Debug Log for [Test] with Id [b9a215ed-3078-4339-9638-62416fd20837].

3/20/2024 01:58:58 PM Z Attempting authentication request to application with Id [e9fdb985-9173-4e01-9d73-ac2d60d1dc8e] from IP address [172.27.0.1] for [myemailaddress+frontegguserc@simplelogin.com] against the URL [http://host.docker.internal:6252].
3/20/2024 01:59:00 PM Z Endpoint returned status code [200].
3/20/2024 01:59:00 PM Z Connector User:
{
  "active" : true,
  "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
  "data" : {
    "hi" : "hi!"
  },
  "id" : "647978c5-01a0-49b8-8f4f-daab25e7ce63",
  "memberships" : [ ],
  "passwordChangeRequired" : false,
  "preferredLanguages" : [ ],
  "registrations" : [ ],
  "twoFactor" : {
    "methods" : [ ],
    "recoveryCodes" : [ ]
  },
  "usernameStatus" : "ACTIVE",
  "verified" : false
}
3/20/2024 01:59:00 PM Z 
. WARNING DISCARDING USER Connector because it was missing a unique id in the [user.id] or enough information to store in FusionAuth (i.e. an email or username).

If I changed my service to instead return the below, the Connector works and logs me in.

return response.status(200).json({
    user: {
        'id': '647978c5-01a0-49b8-8f4f-daab25e7ce63',
        'password': 'password',
        'active': true,
        'email': email,
        'username': email
    }
});

Either a Connector should work with only a UUID, or the code and docs should change to say it requires email and username too.

@mark-robustelli Oh ok, I'll set the password to a UUID then and set the user to change password on login. I'll try on Monday. Thanks for the forum link.

I'm trying to import users without a password hash from Frontegg using importUsers in the TypeScript SDK.

Although the importusers documentation, https://fusionauth.io/docs/apis/users#request-6, says only a username and email is required, the code is telling me You must specify the [user.password] property for each user.

I've set passwordChangeRequired to true. I see some of the other user API methods have sendSetPasswordEmail, but this isn't available on the import method.

Is there a setting I can change to allow import with no password? Or must I use another method? Or is this a bug? I don't think any of the other migration tutorials we've written haven't had password hashes available.

Thanks.

@alex-patterson Thanks, this works. I thought the uuid would be better in case I ever change the role name though.

I'm creating a Role for the default Application like so, and then trying to import a user:

import {FusionAuthClient} from '@fusionauth/typescript-client';

const applicationId = 'e9fdb985-9173-4e01-9d73-ac2d60d1dc8e';
const subscriberRoleId = '635ef5c8-54c5-4605-ba0f-add6ad1578ce';
const apiKey = '33052c8a-c283-4e96-9d2a-eb1215c69f8f-not-for-prod';
const fusionauthUrl = 'http://localhost:9011';
const fa = new FusionAuthClient(apiKey, fusionauthUrl);

await fa.createApplicationRole(applicationId, subscriberRoleId, { role: {
    id: subscriberRoleId,
    isDefault: false,
    isSuperRole: false,
    name: 'Subscriber',
    description: 'Subscriber'
} });

const importRequest = { users: [user], validateDbConstraints: true };
const result = await fa.importUsers(importRequest);

Importing without user Registrations works fine, but as soon as I add a Registration, I get this error:

fieldErrors: {
      'user.registrations.roles': [
        {
          code: '[invalid]user.registrations.roles',
          message: 'Invalid Application role(s) [635ef5c8-54c5-4605-ba0f-add6ad1578ce (app: ExampleNodeApp)].'
        }
      ]
    },
    generalErrors: []

Here is the user I'm importing in JSON:

{"email":"a@example.com",
"encryptionScheme":"example-wordpress-phpass",
"factor":8,"password":"JFAkQi9rQ3pUTURWN2NjQ2xhUlNoSlB6OHN1V1FkS2M1Lw==",
"salt":"JFAkQi9rQ3pUTURWN2NjQ2xhUlNoSlB6OHN1V1FkS2M1Lw==",
"uniqueUsername":"a",
"username":"a",
"verified":false,
"active":true,
"registrations":[{"applicationId":"e9fdb985-9173-4e01-9d73-ac2d60d1dc8e","roles":["635ef5c8-54c5-4605-ba0f-add6ad1578ce"]}],
"data":{"WordPress_ID":2,"WordPress_user_nicename":"a","WordPress_user_registered":"2024-02-21 10:52:53","WordPress_display_name":"a","WordPress_nickname":"a","WordPress_wp_capabilities":{"subscriber":true},"WordPress_default_password_nag":"1"}}

What must I change in my import user to get this to work please? The applicationId is correct and the roleId, I've checked in the web interface.