FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. t.vanherwijnen
    3. Posts
    T
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 3
    • Best 1
    • Controversial 0
    • Groups 0

    Posts made by t.vanherwijnen

    • Does 'POST /api/two-factor/start' also send out mails/sms

      I have only tested the authenticator method for mfa.
      But when I wanted to change my password after enabling the authenticator mfa, it required me to complete an mfa challenge. After reading the docs I figured out I'm required to request to POST /api/two-factor/start. Which I did with the userId. This returns a code, array of configured mfa methods and a two factor id. The part that made me ask this question is that there's a valid code being returned. This made me wonder if you have to send out the mfa mail/sms yourself or does FusionAuth does this for you. (I am assuming it does when hitting POST /api/login when mfa is enabled).

      posted in Q&A
      T
      t.vanherwijnen
    • RE: Choose/pick application flow

      @dan

      You can ignore them.

      Can you explain how? I've been trying to figure this out but couldn't find any solution on how to block request cookies or request headers (Set-Cookie header).

      I'm working with in a Nuxt application, so requests are made using the Axios library.

      If this is not possible or too complicated I'll submit the feature request.

      posted in General Discussion
      T
      t.vanherwijnen
    • Choose/pick application flow

      Scenario

      I understand logging in using only a tenant id will return only a JWT and no refresh token. But is it possible to obtain a refresh token after successful authentication?
      Let's say I have 2 apps:

      1. http://chat.app.com/ or http://app.com/chat/
      2. https://files.app.com/ or http://app.com/files/

      Both have "Generate Refresh Tokens" and "Enable JWT refresh" set to true

      You could just navigate to the specific domain + subdomain or path and login to that exact app.
      But what I'm after is a possibility to be able to login to http://app.com/ and pick one of the apps an get redirected and still be logged in.
      A problem with the subdomain example is, the response carries a Set-Cookie header that sets the cookie on the current domain without any wildcards. (Is there a way of customizing this header?)

      The flow would look like this:
      • User successfully logs in on http://app.com/
      • User gets presented apps it's registered to
      • User click app and gets redirected
      • (somewhere here the should be a way to obtain a refresh token)
      • User is able to use the app and is not required to re-authenticate

      My questions are:

      1. Is this possible using FusionAuth?
      2. Is there a way to disable/modify the Set-Cookie header so I can handle the tokens myself using the Authorization header without confusing the FA API with HTTP-only cookies?
      3. Is it possible to obtain a refresh token using a valid JWT and application id? (user must be registered of course)

      ps: I love this live MD preview

      posted in General Discussion
      T
      t.vanherwijnen