@joshua Thank you for answer
True, it is still possible to handle that logout.
Maybe in future Fusionauth could have an additional and optionnal logout endpoint in IdentityProvider settings ...
I prefer the application not to know much about the IdP, (i.e not calling it directly and not knowing its URLs) and let Fusionauth deal with the authentication/logout workflow.
Tho, I do understand the answer 
@paterik4 I think you can specify it in the kickstart when you create it
@paterik4 I think you need to give the application_id instead of the client_id in the registration block
Hi,
I have a fusionauth configured to use an external identity provider.
My application is logging into fusionauth, which redirect to the identity provider: it works fine.
Now I wonder how should be the logout workflow ?
My application calls the fusionauth logout endpoint and it works fine (my user is logged out from my app and from fusionauth), but the user is still logged into the external identity provider ...
Because otherwise, the user is still logged on 
Thank you,
Quenta
@dan Thank you, yes I can use lamba, i did give it a try and it works fine
The authentication type does works too, but maybe more in a "workaround way".
Thanks
Hi,
I configured Fusionauth for the authentication on my API, so far working fine.
I linked some external accounts (other Identity Provider) to some Fusionauth users, the authentication works fine as well.
Now i wonder if I can retrieve in a claim of the JWT from which identity provider the user account is linked to ? The authentication is managed by Fusionauth, but is there a way to know if that user has a linked account, just reading the claims of the JWT ? I would like to differentiate FA's user without linked from users with linked account
Thank you
Hi,
I set up SSO between 2 applications, and for each i set up their own logout url, and set the Logout behaviour to All applications.
For each application their "own" logout workflow works correctly:
But the other application logout URL is never called, though I set up the logout Behaviour to "All applications"
Do I miss something in the configuration?
Thanks
@dan
Thank you
Seems like my sso isn't working correctly...
I have 2 .net API
http://localhost:11000/apiA
http://localhost:12000/apiB
I can successfully log with fusionauth, I get tokens and own cookie. But the SSO seems to be achieved by the common .net cookie, if I delete it I need to relog again, even if fusionauth SSO cookie is still there...
@joshua
but, even before logging ? I was expected to be created after successful loging, and being deleted after a logout (note it is not a matter to me, just trying to understand if what i see in my implementation is normal)
FusionAuth seems to always create those 2 cookies when hitting the log page, even before logging:
fusionauth.sso
fusionauth.locale
Is it normal behaviour?
@dan it means there are 2 sessions, the sessions of the application itsefl, and the session of fusionauth ? In the link you sent, if the app session is down, then it redirects to FusionAuth login page (so far that works), and if the FA session is still up the user doesn't need to log again (that part does not work, the user need to log again, whereas the FusionAuth session is still valid)
Hi, I am a little lost about the SSO mechanism, I think i need some better understanding ...
I configurated an API with an OIDC library, to use FusionAuth for authentication. The tokens returned by Fusionauth are stored in "api-own-cookie".
When a webclient calls the API, it has to give the "api-own-cookie".
question 1 : if understand well, there we're not using the FusionAuth SSO mechanism because we use our own cookies ? We should have the API to require the FusionAuth cookie to fully rely on SSO mechanism ?
question 2: in SSO mechanism, a call of /oauth2/logout?client_id={clientId} or /oauth2/logout?token_id_hint={tokenId} tells the browser to remove the SSO cookie ?
@dan yes seems it is still not working ... Thank you
Yes it works all fine
I didn't understant the redirect_uri had to be the same , stupid me
Re: Issue validating JWT with .Net 5
Hi,
I implemented a Oauth2 workflow in my API (.NET 5) . I managed to validate a JWT using RSA algorithm, but using SymmetricKey still gives me an error "invalid_token -- The signature key was not found"
I read in the linked discussion it was an existing issue, I wonder if it is a .NET issue only, and if a solution with symmetric keys exists now ?
Thank you
Hello,
I'm trying to configure OAuth with Fusionauth with my application (api core).
(I configured Fusionauth with user, application and the oauth).
When i hit my api endpoint, i do get a redirection to the fusionauth login page with all parameters as described in the documentation.
My question is about the redirect_uri : I understood if the login succeeds, the redirect_uri will be called with code and userState parameter
https://www.piedpiper.com/login?code=+WYT3XemV4f81ghHi4V+RyNwvATDaD4FIj0BpfFC4Wzg=&userState=Authenticated
If i understand well, the redirect uri will be called automatically within the workflow ?
If yes, can this redirect_uri be an API endpoint, in order to receive the temporary code, and then send a request for the access_token ?
I tried it but get an error
Thank you