RE: Authentication for an Application with Web Client and Mobile front-ends

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Hi @michael-schramm,

If you could provide a bit more context to your issue, we could perhaps give a few pointers, but unfortunately, I believe this is outside of our accepted/documented use guidelines. FusionAuth is supported using MySQL and Postgres (documentation here).

Thanks,
Josh

Hey FusionAuth Community!

Just a heads up -- we have made a few revisions to this post!

If you are interested in using VueJS and FusionAuth -- check it out!

https://fusionauth.io/blog/2020/08/06/securely-implement-oauth-vuejs

Hi bogorad,

The functionality that you are looking for is located in the themes section of the FusionAuth application. Specifically, you will want to review all OAuth pages (OAuth authorize and possibly others) to adjust the template to your user requirements. FusionAuth uses FreeMarker for templating.

Additionally, below is a link to our documentation regarding themes (as well as a very useful video on how to mimic a custom Stack Overflow login page, for instance)
https://fusionauth.io/docs/v1/tech/themes/

Hopefully, that sets you on the right path! Enjoy FusionAuth!

Thanks,
Josh

1.30 is released

Release notes forming
https://fusionauth.io/docs/v1/tech/release-notes/

My Database (sql, rds, postgres) is filling up. Any pointers on how to address this?

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

Is there an option to make JWT token smaller in a size?

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

@akash

You can see that you are getting a new error now(?)

4/18/2022 09:36:50 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c667757d99b164e63b63e7c3eaa3e211d.0.rrztw.Erf15Va-FL9xxQTjq0rg3w].

Before

4/12/2022 06:17:57 AM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [18lo6UM0UdBPwl7OHzLljg].

Did you change how you are accessing the endpoint or maybe did the logs cut off?

Thanks,
Joshh

@stephen

I think that makes sense to me. I would have to test this to fully ensure I remember the flow, but displaying 1 or two codes might be fine.

Thanks
Josh

@stephen

These are usually one time use codes. So you have ten chances to use them, in the case of MFA, for instance, that would be 10 times to login if your SMS provider was down, for instance.

Maybe I am missing your use case?

Thanks,
Josh

@mariaplxrn

Can you confirm where/how you are building this link?

http://92.123.98.201:9011/oauth2/authorize?client_id=98909b30-hrg1-4141-93fb-387b9846bb94&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth-redirect&scope=offline_access&state=8h7qqzysl3pglw1wlapm8s5guxu8l7saotgxfw2sadyo3kczm4nt7hu0wpudwhnnf3a&code_challenge=A7UFTcMEPUoRn0VXlixkqbHv61EPeN502sx0YgwiMjs&code_challenge_method=S256

If you are using something like our five minute guide, this link is built in the pug template in the views. You may have to make adjustments there.

https://github.com/FusionAuth/fusionauth-example-node

Thanks,
Josh

@akash

This suggests to me that you are not using a hybrid grant when initially requesting the code and id token from Apple.

In your authorize request, before you get a token, you must request to get a code, and id_token (hybrid grant) together.

I hope this helps.

Thanks,
Josh

@yash-chopra

This suggests that you have an integration error. My recommendation would be to turn on debug enabled for the SAML IdP in question and review the event logs for troubleshooting guidance.

Thanks,
Josh

@jw

Can you confirm if you are still having this issue?

This consent screen may be controlled by Google (and possibly unrelated to FusionAuth configuration)

Thanks,
Josh

@mohyddin-tash

We are updating our documenation to highlight a key difference here.

You will want to make sure that you have adjusted numberOfResults value, which in this case is likely defaulting to 25.

It is best to keep a small "results window" but then loop through the results with an increasing startRow value.

• https://fusionauth.io/docs/v1/tech/core-concepts/search#pagination

I hope this helps

Thanks,
Josh

@admin-5

Thanks for letting us know. This should now be corrected.

Thanks,
Josh
FusionAuth

@robotdan Was able to use hosted pages to do a forgot password flow successfully both on local dev and using our local node app.

@hamza Let us know what other variables / your workflow is so that we can attempt a recreation if necessary.