RE: CORS Error when sign in

@chee Who are your DNS records with? Are those configured correctly?

@netstack hmm, Did I read this part correctly?

I tried the same with re-generating and adjusting the URL's directly at the application. But still the URL's remain unchanged.

Does this mean that even when you update the urls in the application, the change does not take. Or the change takes, but still does not work?

Would it be possible for you to send a screen shot of your config? Please be sure to redact any sensitive info before posting.

@chee Thanks for the details. It looks like you have it mostly configured correctly. In the error message, I see: 'Host header: onemeta-dev.routing.fusionauth.io'. That seems a bit off. Where is the onemeta-dev configured?

@netstack , Adjusting the issuer URL at the Tenant level will not update the Applications URLs. If you have many applications and plan to change often, you can use the APIs to make sure all the applications get updated appropriately.

Please check out this as well:

After modifying the Tenant issuer, you should also update the JWT configuration for your applications:
Navigate to "Applications" in the admin UI.
Click on the edit icon for the application you want to update.
Go to the "JWT" tab.
Change both "Access token signing key" and "Id token signing key" to "Auto generate a new key on save...".
Save the application.
It's important to note that you must create new keys after modifying the Tenant because the Issuer field is embedded in the key.

@pc Was anything changed before the reboot? What prompted the reboot?

@cristian I asked around a bit, and unfortunately I don't have a great answer for you. I think this information about FusionAuth SSO just confirms what you already know.

On a slightly brighter note, someone helped me find this open GH Issue that you should probably follow that might help down the road.

In the meantime, does anyone have any other advice or suggestions for @cristian?

I just took another look and jwt.aud may get you what you need in both instances as well.

@mcad-pha Depending on your situation, there may be a few options.

If you assign the Lambda to the Access Token Populate lambda for the application, you can access the applicationId using jwt.applicationId. This would give you 1 function you could share across the applications if it works for you.

• If you assign the same lambda to the Id Token Populate lambda, you will get undefined.

If that does not work you may be able to use the fetch command in the Lambda. This would allow you to create a single function and have each of the applications call it, passing in the applicationId. This is only available in an Essentials or Enterprise plan.

• Reminder: If you have a paid plan, also remember you can access support through the Customer Account Portal as they may be quicker to respond.

@paul-1 Is it possible that the your code (i.e. //lots of code) is taking too long to process? Can you try to take out most of the code and see if that prevents the time out?

As far as the "testing" goes, it seems odd that there is different data. Have you tried to capture the data actually sent vs what you are testing with and see if there is a difference?

@megharaj-khalate Can you please provide a little more detail in how you are adding users to FusionAuth? Have you checked the FusionAuth logs to see if there are any clues there?

@cristian hmm, if the docs say the session is only available when using the hosted login pages, it seems like you may be out of luck. Give me a little time to ask around a bit and see if there may be alternative suggustions to your workflow.

@cristian What are you using for the SSO Bridge? Also, If you don't want the user to enter their credentials on FusionAuth's login page, what will be acting as the Identity Provider (IdP)? I'm not 100% clear on your use case, but have you check out Connectors. Seems like that might be a way to go.

@cristian Glad you got it rolling.

@cthos Thanks for the feedback. Since it does appear that you can configure as required, I'm not sure this constitutes a bug. However if it is confusing to you it is likely to others as well. It may be worth opening an issue for the dev team to take a look at.

@bonfattidaniele Is auth.easycbam.eu your domain? Is bbdb8f55-65e7-4de7-a5ff-f08df4ea8005 your client_id? Is 9f144ac0-3006-e653-2ce1-ba98bb40f3eb your tenantId? It appears that those values may not have been updated if not. I am not an Apache expert so I am not sure what implications removing those statements is going to have. Can you try updating those ids, domains and other variables in the config to see if that works?

@cristian Apologies for the confusion, I think I conflated two separate issues I was working on. It is my understanding that FusionAuth should maintain the state parameter as explained in this video. If it is not, then there is a bug. I would like to try and set up a simple example to replicate your issue, but that is going to take me a couple of days. I'll let you know what I find.

BTW, it does not look like you can access the url from a lambda. There may be some things you can do with logging and turning on debugging in FusionAuth, but I will test that out as well. If you get to it before I do, please let me know.

Thanks.

@spydmobile Are all the errors specifically about the CORSConfigurationCacheLoader or are there others?

@spydmobile said in Struggling to backup selfhosted fusionAuth.:

2025-01-31 16:33:45 fusionauth-1 | 2025-01-31 11:33:45.952 PM ERROR com.inversoft.scheduler.LogAndRetainFailureHandler - The scheduled service [class io.fusionauth.api.service.cache.CORSConfigurationCacheLoader] failed but will be re-run.
2025-01-31 16:33:45 fusionauth-1 | org.apache.ibatis.exceptions.TooManyResultsException: Expected one result (or null) to be returned by selectOne(), but found: 2

@cristian Can you please take a look at https://sptest.iamshowcase.com/instructions#spinit and in particular the Use RelayState to control the color theme section. The are passing a parameter to control the color of the background. This seems to be what you are trying to accomplish. If not, please let me know.

If you need more details on how to set up the test, please see this blog post.

@calumhall96 I didn't want you to think no one was looking at your post. I am not familiar with this set up so it is going to take me a while to check it out. In the mean time, if anyone has any ides, please speak up.

@Scot Woo-hoo, glad you got rollin'!