RE: Doubling of login records

@sergey_smirnov can you tell us a little about how you have FusionAuth set up? Can you look at your server logs and make sure the page is not being called multiple times? Also, can you share the details of the log entries (be sure to redact private information)?

@ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

@ext_figuvini this is an interesting use case. I would think the way you have it configured would work. I would have to recreate you situation to test. Unfortunately it may be a while before I can get that done. I should be able to take a look next week. If anyone has experience with this, please feel free to chime in.

@eakpan Awesome, thanks for posting. This may end up helping others. Glad you are able to configure FusionAuth to work for you.

@atakan thanks for sharing the information.

@jobclone20 I just took a look at the page for the FusionAuth Visual Studio Templates. It appears they are only for Visual Studio 2022.

@laurahernandez I hope you are able to achieve the look and feel you are going for. I understand you would like to be able to show and hide the password dialog in simple themes and you are not the only one. Please be sure to upvote the issue here.

I understand using advanced themes may require more work, but ultimately it is more flexible that simple themes. Good Luck.

@josephbeckley99 As far as I can tell, hiding the password input with an advance theme is the best workaround. Just be aware that with a little knowledge and some hacking a use may be able to expose the password field and use it if they are really focused on doing so.

@laurahernandez This appears to be the right approach. I am a bit confused on whether you got it working or not in terms of no longer seeing the sessions in the AdminUI after your flow. Please let me know.

@laurahernandez What is the Logout behavior set to for your Application?

@eakpan Have you tried using Postman (or something similar) to make the calls directly to the APIs and see if it behaves as you expect? If it does, then you might consider opening an issue in the typescript client repo. If it does not, you may want to open an issue with FusionAuth itself.

@haziqt have you taken a look at the documentation on How To Us a Proxy? There are a few headers you will need to add.

@robert-regnier Unfortunately, it looks FusionAuth does not support this. I did find an
open issue that you may want to upvote if it is in fact the same issue you are experiencing.

You may also want to check out this blog. It talks about a custom domain using one of FusionAuth's hosting packages, but think it should work in your case as well.

Does anyone else have a similar setup? How did you implement it?

@laurahernandez, Have you tried the advanced theme? You can try to hide the password fields from the login page using custom themes and hiding the password input. This approach is commonly suggested, but it is not foolproof, as users may be able to workaround it if the try and still see default login form with password fields present. Therefore, this is not a fully secure method to disable password logins entirely for all scenarios.

@jobcuatoi14, Since I work for FusionAuth, I obviously have a pretty strong opinion on this one. Beyond that, I still have a strong opinion as a developer in general. I will share with you my thoughts so you can take them under consideration.

I'm not going to tell you what you should and shouldn't do. Everyone's authentication strategy is their own decision. Personally, in general, I would recommend against building your own. Instead of listing reasons, I will pose questions for you to consider so you can come to your own conclusion.

• Are you a security expert? If not, you will need to implement all the standards. Yes, you can use common libraries, but you will have to always stay up on the latest and greatest. Everyday you will need to check for vulnerabilities in every library you use. If something breaks, you will have to stop what you are doing on your core product and fix it. You also mentioned JWTs and there are many other well known standards out there such as OAuth. Knowing the recipe and executing it are two different things. You may read how to prepare Fugu, but do you really want to do that yourself or leave it to an expert?

• Is authentication your product? If not, you will have to consider all the time you will be dedicating to authentication as a developer. How much better would your core product be if you spent that time focusing on it?

• How much time do you have to dedicate to building your own auth? Even with standard libraries, you will have to build a lot. Probably more than you initially thought. I know you talked about using bcrypt for hashing, but are you aware of the concept of using salt with the passwords? If not, I would really recommend not doing it. If you are, that is just one more thing you will have to deal with. You mentioned the forgot password flow, but you will likely need other things like initial registration flow. What about updating user data in general?

• What features do you need? Of course that comes down to what you are trying to protect. If you are just maintaining your small blog subscription, username and password may work. If it is more sensitive, you may need things like MFA. Will you need to allow social logins? Will you need to enforce password policies? Will you need to support passwordless login? Role Based Authentication?

• Do you have time to maintain what you build on top of your core product? Once you have it built does not mean you can forget about it. Security is an evergreen process. The consequences of a lapse and impact on your product/company can only be measured by you.

I could go on and on, but I think for a forum post this gives a pretty good support of my recommendation.

Whatever issue you have with the other tools you mentioned or even FusionAuth itself, I would challenge you strongly to consider if the issue is easier to deal with than creating the whole system yourself. In my experience, it is usually easier to work around the issue than build your own.

I can't necessarily speak for the other products you have listed, but if you list some of your concerns with FusionAuth, I may be of some assistance.

Are you aware FusionAuth has a free Community Edition?

Also, I would recommend going through a FusionAuth Quickstart in the programming language of your choice to see how easy it is to get started.

Deciding which authentication to use is not a simple choice, I hoped this helped and didn't sound too "salesy".

I'd love to hear other's thoughts on this as well.

@eakpan which FusionAuth client are you using?

@eakpan would it be possible for you so share some of the code?

@jay-saxophone383 I do believe you can get FusionAuth to work as you described here. Here are some links that may give you a little more detail.

SAML v2 with ADFS

OpenID Connect with Azure AD

Enabling Single Sign-On in an Organization

Product Update

As mentioned above, some of the features described are only available with paid planes and if you need to test them out, you will want to contact FusionAuth and see what can be worked out.

@jay-saxophone383

Does FusionAuth provide an evaluation license to test its premium features for on premise?

As far as I know there is no license that allows you to test the premium features. If this is something you are interested, you may want to reach out to the sales team.

You can use the public sandbox instance, which has a valid license and access to all premium features. No credit card or account is required. However, be aware that any data you enter is public and the environment is reset regularly, so your changes will not persist.

Is there something specific (a feature/use case) that you are interested in and how it works?

Does the solution offer robust capabilities to collect and securely store detailed information about trusted user devices and activities during access management sessions?

Yes, in addition to general logging there are numerous webhooks that allow you to consume JSON messages emitted from FusionAuth events.

This information is crucial for tracking audit trails and performing analytics, particularly in the following areas:

a) Device Information
    i) Various device types and models

Yes

ii) Popular operating systems across desktop and laptop platforms (e.g., Windows, macOS, Linux, ChromeOS) and mobile platforms (e.g., Android, iOS, others)

Yes

iii) Security posture details, such as antivirus software and posture checks

I'm not sure what you mean with this question. FusionAuth does have Advanced Threat Detection available. Is that what you are talking about?

b) Comprehensive Reporting
    Ability to track all access management activities, including login times, accessed resources, actions performed, user activity patterns, and associated geographic locations

FusionAuth has a few views you can look at to see such information (like the dashboard below), but between the webhooks and API access you should be able to collect, organize and view the data the way you would need to.

This is an example of the dashboard with some of the advanced features enabled.

Here is an example from a successful login webhook.

{
  "event" : {
    "applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
    "authenticationType" : "PASSWORD",
    "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
    "createInstant" : 1747952916005,
    "id" : "fbeb32bc-0a98-4835-800e-7b0b5aa75523",
    "info" : {
      "deviceName" : "macOS Chrome",
      "deviceType" : "BROWSER",
      "ipAddress" : "192.168.147.1",
      "userAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
    },
    "ipAddress" : "192.168.147.1",
    "linkedObjectId" : "00000000-0000-0000-0000-000000000001",
    "tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
    "type" : "user.login.success",
    "user" : {
      "active" : true,
      "birthDate" : "1981-06-04",
      "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
      "data" : {
        "favoriteColor" : "chartreuse"
      },
      "email" : "admin@example.com",
      "firstName" : "Dinesh",
      "id" : "00000000-0000-0000-0000-000000000001",
      "insertInstant" : 1736377123822,
      "lastLoginInstant" : 1747952916005,
      "lastName" : "Chugtai",
      "lastUpdateInstant" : 1746139865421,
      "memberships" : [ ],
      "passwordChangeRequired" : false,
      "passwordLastUpdateInstant" : 1746139893637,
      "preferredLanguages" : [ ],
      "registrations" : [ {
        "applicationId" : "ec526002-35cc-4e6e-8f5b-0e4fba2b08c8",
        "data" : { },
        "id" : "b2e3f755-1b1f-44f5-92ff-e6a41fa3eb12",
        "insertInstant" : 1745098563132,
        "lastLoginInstant" : 1745279910748,
        "lastUpdateInstant" : 1745098563132,
        "preferredLanguages" : [ ],
        "roles" : [ ],
        "tokens" : { },
        "usernameStatus" : "ACTIVE",
        "verified" : true,
        "verifiedInstant" : 1745098563132
      }, {
        "applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
        "data" : { },
        "id" : "53635379-6b65-47c0-a593-579f1e0340ec",
        "insertInstant" : 1736377123867,
        "lastLoginInstant" : 1747952916005,
        "lastUpdateInstant" : 1736377123867,
        "preferredLanguages" : [ ],
        "roles" : [ "admin" ],
        "tokens" : { },
        "usernameStatus" : "ACTIVE",
        "verified" : true,
        "verifiedInstant" : 1736377123867
      } ],
      "tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
      "twoFactor" : {
        "methods" : [ ],
        "recoveryCodes" : [ ]
      },
      "usernameStatus" : "ACTIVE",
      "verified" : true,
      "verifiedInstant" : 1736377123822
    }
  }
}

Hope this answers your questions.

@robin-singh said in Getting 403 : disallowed_useragent with Google Auth:

We have android/iOS app where authentication redirects to fusionauth login page.
And here we have Facebook/Google login setup.
Facebook and native login is working fine but with Google login getting Error 403: disallowed_useragent.

Is there any way to directly open sign in for google which will send data to fusion auth only.

Are you trying to open the login in your application? Maybe try to use the system browser to up the Google login and see if that works. Google disallows OAuth login flows inside embedded web views (like those used in many mobile apps).