RE: Implementing GitHub-like "Personal Access Tokens"

@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

Hello @yuval,
I'm not very familiar with Salesforce but when taking a look at the guide there is a step that says "Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.". What do you see when you try that?

If you are not getting that information, can you please describe in a little more detail what steps you have taken and when you receive the above message about the invalid iss?

I am running through the Integrate Your .NET 7 Application With FusionAuth quickstart guide and encountered the error listed below.

I think it has to do with following message in the guide:
The script set up a RS256 asymmetric signing key. FusionAuth supports this signing algorithm, but doesn't ship with a default key.

How do I add the required key to FusionAuth?

Error Message:
An unhandled exception occurred while processing the request.
SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '236bb45e-e88c-4f07-87ff-c93d6fb752a2'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"236cc45e-e88c-4f07-87ff-c93d6fb752a2"}.{"aud":"236bb45e-e88c-4f07-87ff-c93d6fb752a2","exp":1687312521,"iat":1687308921,"iss":"acme.com","sub":"e5e4a956-0f9d-4bec-9121-dededb20e00f","jti":"ca5d3d30-ef26-4e48-afcb-d5ba670ac2d4","authenticationType":"PING","email":"myemail@email.com","email_verified":true,"at_hash":"ANWNkB4EA34d0cr1A50zQg","c_hash":"eCEeL-bgcDFkzcpmNT5k9g","scope":"openid profile","nonce":"634229057201762476.ZDQ1NzEzZWMtM2M4OS00ODgxLWI3ZmEtNjJhZWY0MzhlOWYzN2I4ODdhNmQtYTI2OS00OTc0LThhOWEtYzc2OGEzYmIzN2M3","sid":"4fe9dcc0-1ce9-4819-a97a-47c38cb730b8","auth_time":1687308921,"tid":"a51e69f7-520b-6860-2d33-d1e12f797af9"}'.

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

What is the best way for analytics tracking after a user has successfully registered?

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

Does FustionAuth support multi-region active-active set-up for cloud services?

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

@sandesh Thanks for sharing her on the forum. Hope you are able to accomplish your end goal with the APIs.

@it-contracts, which license did you purchase? If you selected the Essentials Plan you should have access to the Account Portal and may receive support directly through email if this is time sensitive.

@jacob-0 do you have Google set up as and IdP in FusionAuth? https://fusionauth.io/docs/apis/identity-providers/google. Would this flow work for you if the right scopes are provided?

@jacob-0 Ok, can you tell me a little more about how you '...ask the user to connect their calendar manually'?

It sounds like you are getting the token directly from Google and then are looking to store that in connection with the FusionAuth user? Do I have that right?

@jacob-0 have you taken a look at Google's calender scopes? https://developers.google.com/identity/protocols/oauth2/scopes#calendar

You will need to add the appropriate scope in the scopes section of the Identity Provider configuration.

@mou I don't think there is anything that would allow you to create a personal access token as you are describing it. You may be about to "workaround" that by managing the token a bit. Since the user has to login to get the token, you could get the personal token and embed the user name. i.e. on the getoken your code could get the token for the user and then append the email before you sent it to the client. It would look something like:

user:john@example.com

Get Token -> x12345y

Append User: john@example.com:x12345y
base64 encode: IGpvaG5AZXhhbXBsZS5jb206eDEyMzQ1eQ==

give that to the user, then in your app, when you receive it, base64decode it, giving you the username and token for the user.

Is that something that might work for you?

@mou Did you get to the bottom of that page? (Enabling Authentication Tokens and Generating Authentication Tokens). Those are per user. Is there a reason this won't work?

I did see this note that might help your use case.

Note that you must provide a valid API key unless you’ve also unchecked the Require an API key setting in the Login API Settings.

@hendrik-ebbers I am a little confused on the ask. It sounds like you want a user to be able to log into a webpage and then be able to call your apis? Would they call the apis from an interface you provide in the web application or from some other application?

@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

@jan-1 , unfortunately I don't have a great suggestion for you. It looks like @robotdan is taking a look at the issue you created. I will follow the issue and check back in, once they update it.

@mo-mustkem It is a Theme Template Variable. Please check out https://fusionauth.io/docs/customize/look-and-feel/template-variables#oauth-authorize. rememberDevice is in /oauth2/authorize

@egli FusionAuth provides a feature called Self Service Registration Forms that allows users to update most of their own data from a hosted page. This includes updating passwords and other user data fields. However, this feature is only available in paid plans. Please check out https://fusionauth.io/docs/lifecycle/manage-users/account-management/updating-user-data