RE: Implementing GitHub-like "Personal Access Tokens"

@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

@kiouplidis I found this in the documentation.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

In FusionAuth, you can add custom data to the oauth2/userinfo endpoint response using a Lambda function. This function can add extra claims to the UserInfo response. Here's an example of a simple Lambda function that adds a few extra claims:

function populate(userInfo, user, registration, jwt) {
  // Add a new claim named 'favoriteColor' from a custom data attribute on the user
  userInfo.favoriteColor = user.data.favoriteColor;
  // Add a new claim named 'dept' using a custom data attribute on the registration
  userInfo.dept = registration.data.departmentName;
  // Copy a claim named 'applicationId' from the provided JWT
  userInfo.applicationId = jwt.applicationId;
  // Create an event log of type 'Debug' when the lambda has Debug enabled
  console.debug('Added custom claims to the UserInfo response');
}

In this example, the favoriteColor and dept are custom claims added to the UserInfo response. These claims are derived from the custom data attributes on the user and registration respectively.
Please note that the Lambda function needs to be assigned to an application in FusionAuth for it to take effect.

Hello @yuval,
I'm not very familiar with Salesforce but when taking a look at the guide there is a step that says "Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.". What do you see when you try that?

If you are not getting that information, can you please describe in a little more detail what steps you have taken and when you receive the above message about the invalid iss?

I am running through the Integrate Your .NET 7 Application With FusionAuth quickstart guide and encountered the error listed below.

I think it has to do with following message in the guide:
The script set up a RS256 asymmetric signing key. FusionAuth supports this signing algorithm, but doesn't ship with a default key.

How do I add the required key to FusionAuth?

Error Message:
An unhandled exception occurred while processing the request.
SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '236bb45e-e88c-4f07-87ff-c93d6fb752a2'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"236cc45e-e88c-4f07-87ff-c93d6fb752a2"}.{"aud":"236bb45e-e88c-4f07-87ff-c93d6fb752a2","exp":1687312521,"iat":1687308921,"iss":"acme.com","sub":"e5e4a956-0f9d-4bec-9121-dededb20e00f","jti":"ca5d3d30-ef26-4e48-afcb-d5ba670ac2d4","authenticationType":"PING","email":"myemail@email.com","email_verified":true,"at_hash":"ANWNkB4EA34d0cr1A50zQg","c_hash":"eCEeL-bgcDFkzcpmNT5k9g","scope":"openid profile","nonce":"634229057201762476.ZDQ1NzEzZWMtM2M4OS00ODgxLWI3ZmEtNjJhZWY0MzhlOWYzN2I4ODdhNmQtYTI2OS00OTc0LThhOWEtYzc2OGEzYmIzN2M3","sid":"4fe9dcc0-1ce9-4819-a97a-47c38cb730b8","auth_time":1687308921,"tid":"a51e69f7-520b-6860-2d33-d1e12f797af9"}'.

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

What is the best way for analytics tracking after a user has successfully registered?

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

Does FustionAuth support multi-region active-active set-up for cloud services?

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

@sandesh Thanks for sharing her on the forum. Hope you are able to accomplish your end goal with the APIs.

If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.

If you don't have a paid plan and still want the private support, please check out the Essentials Plan. You will get private email support with that.

@john-spellman, Can you let us a bit more about how you created the key? Which option did you choose to import? Which certificate type did you use? You could try different types.

Anything you can tell us about which Identity Provider you created and what the architecture looks like will help. Is FusionAuth the IdP/SP or both?

Also, If you can share the settings of you SAML tab for the application (without sharing secrets), that may give us some insight to the issue as well, if you are using FusionAuth as an IdP.

I don't have a ton of experience with importing certificates, so if anyone out there knows better, please feel free to chime in.

I have set up a key for a SAML provider before and using an RSA/RS256 type key. I generated that key with FusionAuth, but I don't see any reason you couldn't import the key you need.

You may want to check out this blog to test a simple SAML configuration if your situation reflects the setup.

@john-spellman I'm glad you have access to the instance. If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.

If you don't have a paid plan and still want the private support, please check out theEssentials Plan. You will get private email support with that.

Other than that, I would recommend posting the issues here and removing any sensitive info.

Also, based on your request, be very careful of anyone reaching out to help privately. I like to believe the world is a good place, but there are bad actors out there looking to take advantage of people in your situation.

@kiouplidis, can you please give us a little more detail on how you are set up and exactly what you are trying to do. I see you are getting a NetworkError when trying to reach (auth.*.com). Is that an instance of FusionAuth hosted by FusionAuth or is that an instance of FusionAuth that you have deployed? How are you trying to access the resource? Through a web browser or are you trying to execute an API call? The more information you can provide, the easier it will be to help.

If you have a paid plan which includes technical support, please open a ticket via your account portal.

@john-spellman can you tell us a little more about your set up and situation? Was it working before? What changed? Can the one user still log into prod? The more detail you give the easier it will be for someone to help. Please do not post any passwords or secrets.

@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?

@laurent-bartet hmm.., since the lambda seems to be set up correctly but appears to not be hitting, let's take a step back and look at the configuration. Can you tell me a little more about that? What identity providers you are using and how they are configured? I read you are using SAML, but it appears in the log that you are using OAuth2. If you are using OAuth2, you might be able to use a JWT populate lambda in that case, but would like to know more about your setup.

@laurent-bartet Since it is a SAML reconcile lambda, do you have it assigned to the Identity Provider?

Settings -> Identity Providers -> {Your SAML v2 Identity Provider} -> Edit -> Reconcile Lambda

@arnel-terblanche Can you tell us a little more about your setup? Is this a first time install? Was it working before? Is this a docker image you are trying to run? Please provide more details.

@laurent-bartet

What kind of Lambda did you create? Did you assign the Lamba to the application?

If it was SAML V2 Poulate then make sure it is assigned to your application.

Applications -> {Your Application} -> SAML tab -> Authentication response -> Populate Lambda -> {Choose the lambda you created}

Also make sure you have Debug enabled set on the Lambda.

Let me know if this helps.