FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. nathan
    3. Posts
    N
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 2
    • Best 1
    • Controversial 0
    • Groups 0

    Posts made by nathan

    • OIDC Identity Provider Claims

      When using an external OIDC identity provider where does the email claim get fetched from when attempting to link to a FusionAuth account; the id_token, the access_token or the userinfo JSON?

      I have an id_token from an external IdP that doesn't contain an email address claim but both access_token and userinfo do (under claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress which I have setup under Options -> Email claim) but FusionAuth doesn't seem to be picking it up.

      posted in Q&A
      N
      nathan
    • RE: Users cannot accept invitation, redirect_uri missing

      I have encountered this error and managed to work out the following steps to get things working

      FWIW I think this issue is the same as https://fusionauth.io/community/forum/topic/1098/registration-question-sendsetpassword-flow/7

      I get the above error using the default Setup Password template which contains link with template http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}

      If I add redirect_uri=http://localhost:3000 then I end up being redirected to http://localhost:3000?error=invalid_request&error_reason=missing_response_type&error_description=The+request+is+missing+a+required+parameter:+response_type without ever setting a password.

      Once I add response_type=code I now get to be able to set the password.

      It looks like the /password/change endpoint actually jumps into the OIDC/OAuth flow after the password is set and my redirect URL gets a code (which I assume can be exchanged for a token), however as I am using ASP.NET 5 & the OpenIdConnect extensions the state parameter contains encrypted data that must be supplied so I have found it best to ignore the code and simply trigger the OIDC challenge which causes a redirect back to FusionAuth (with required state) which immediately redirects back to my API (as there is an open SSO session) and my login is complete.

      It would be good if there was some documentation about the /password/change endpoint.

      (I would also be open to suggestions about how I can cleanup the redirect magic I need to do to get this all working with ASP.NET but I realise that is probably out of scope of this question!)

      posted in Q&A
      N
      nathan