RE: Authentication for an Application with Web Client and Mobile front-ends

@joshua

Great explanation, and you're absolutely correct that I don't/shouldn't want to persist the access token in the web api. With your help and a lot of grinding I believe I have this figured out. One of the biggest hurdles was my misconception of how multi-tenancy works in FusionAuth. I thought that one application could be shared across multiple tenants but they cannot. Not a big deal because applications can be easily created with your APIs. Just as a suggestion, maybe the FusionAuth documentation could make this a little more clear for others who are exploring your offering.

Thanks for your great support!

@joshua

Great explanation, and you're absolutely correct that I don't/shouldn't want to persist the access token in the web api. With your help and a lot of grinding I believe I have this figured out. One of the biggest hurdles was my misconception of how multi-tenancy works in FusionAuth. I thought that one application could be shared across multiple tenants but they cannot. Not a big deal because applications can be easily created with your APIs. Just as a suggestion, maybe the FusionAuth documentation could make this a little more clear for others who are exploring your offering.

Thanks for your great support!

@joshua

Everything works great when I have an application assigned in each tenant. Before proceeding to make an application per tenant, I just wanted to make certain that applications can't be shared across tenants. The good thing is that your APIs make it easy to create them.

Thanks for your support!

This error happens when trying to register a user to an application that doesn't reside within the user's tenant, which leads me to my next question:

Can you have one application that is shared across tenants?

The FusionAuth documents covering multi-tenants gave me the impression that you could, but it seems as though you have to have an app residing within the same tenant you wish to register a user to that is also a member of that specific tenant.

I'm looking for insight as to how multi-tenants works within FusionAuth. At this point, it looks like you have to have a copy of an application within every tenant, even though it is essentially the same application - roles, etc.

Thank you.

This is actually a 400 Response.

The fusionauth-app.log shows the following error:

The error may exist in io/fusionauth/api/domain/UserMapper.xml

The error may involve defaultParameterMap

The error occurred while setting parameters

SQL: INSERT INTO user_registrations (id, applications_id, authentication_token, clean_speak_id, data, insert_instant, last_login_instant, last_update_instant, timezone, username, username_status, users_id, verified) VALUES (?, ?, ?, ?, ?, ?, ?,?, ?, ?, ?, ?, ?)

Cause: org.postgresql.util.PSQLException: ERROR: null value in column "users_id" violates not-null constraint

I'm able to create a user and receive back the user info including the FusionAuth assigned user Id, but when trying to register that same user to an application I continue to receive a 401 Status Code:

• Code: [Invalid]registration.applicationId.
• Message: An application with Id [my app id] does not exist.

Additionally, I have multi-tenants set up on FusionAuth Cloud deployment.

Also, I am currently using FusionAuthSyncClient from the FusionAuth.Client NuGet package.

Any help would be appreciated.

Thank you.

Hi @Joshua,

Along with the web app, I have a backend ASP.Net Core Web API that is secured with Authorization that the web app is accessing. I need to be able to verify that a user is authenticated, is assigned to an appropriate role, and which tenant they are assigned to before allowing access to the api.

Currently, I am trying to use the following auth flow:

• user is navigated to login page for specific tenant on web app

• click login button and authenticate to FusionAuth (my app) auth endpoint

• web app receives authentication token for user

• web app exchanges auth token for access/refresh token at FusionAuth (my app) endpoint

• web app makes call to Web API passing access token

• Web API verifies token against FusionAuth (my app) endpoint

• Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app

• Additionally, web app and Web API persist auth access/refresh token for future calls to the Web API so user doesn't have to repeat auth on subsequent calls, barring token expiration

I'm sure I'm making this harder than what it is but I've not used FusionAuth before. Mostly, it seems that the difficulty is coming from the the fact that I'm using multi-tenancy in FusionAuth, otherwise it would be pretty straight forward. I've used this pattern with Azure AD B2C, however that doesn't readily support multi-tenancy which is the the main reason I'm trying to use FusionAuth's multi-tenant support.

Hope this helps you to better understand what Im trying to achieve. It is definitely possible I'm approaching this all the wrong way, so I value your input.

Thank, again.

Hi Josh,

It has been a few days but I'm still working on this project. I've looked at this example on FusionAuth: Securing an ASP.NET Core Razor Pages app with OAuth that uses an OIDC configuration. On the surface this looked like the solution l needed, however I have FusionAuth deployed on FusionAuth Cloud with multi-tenants and the configuration in this example doesn't seem to show how to support this in the OIDC configuration. Any suggestions on how to proceed?

Thank you.

Thanks for the response Joshua.

Let me try to clarify, this is a native mobile app for iOS and Android (actually Xamarin x-platform), so the mobile user isn't logging-in to a website.

Further, both the web client and native mobile app will be accessing an ASP.Net Core web API for interfacing with a multi-tenant (db per tenant) backend hosted on Azure. This API is using authentication and authorization and it is really what I need to secure.

In short, I'm exploring the use of FusionAuth because of its multi-tenant authentication support and need to know where to start with implementing the authentication workflow using FusionAuth. Thus far, I've seen a lot diagrams and general explanations about this on FusionAuth's website but no actual code on how to do it, especially related to native mobile apps.

Any further help would be much appreciated.

New to FusionAuth and exploring its use for an application.

Question:

Given a web client and mobile as front-ends for the same application, is it possible for a user to register/authenticate to this application through the web client and then login to the same application with the registered user name and password using a mobile device without going through the authentication process again, or vice versa?

Desired Response:

• If yes, a brief description of how it works.

• If no, insight on how to handle this process.

• Direction to any documentation pertinent to either answer.

Thank you.