@fin When you say the cookies are blocked, what error message are you getting? What do you mean by blocked?

@vandaele-seba Could be better that this model exists in FusionAuth C# library. To be sure have a compliant model with new FusionAuth versions

It sounds like you have a complex identity management setup with various types of users accessing your applications. To address the requirement of enforcing MFA (OTP) at the user level rather than the application level, you might need to adjust your approach slightly. Here's a suggestion on how you could resolve this:

Customize User Registration Process: When creating user accounts manually within FusionAuth, you can customize the registration process to include mandatory enrollment of MFA (OTP). This could involve adding a step during account creation where users are prompted to set up MFA, and they can't proceed without completing this step.

Use FusionAuth Hooks or Lambda Functions: FusionAuth provides hooks or Lambda functions that allow you to execute custom logic during various events, such as user registration. You can leverage these hooks to enforce MFA enrollment for manually created user accounts. For example, you could write a custom hook that checks if the user account was created manually and if so, requires MFA enrollment before allowing the account creation process to complete.

Communicate MFA Requirement Clearly: Ensure that users are aware of the MFA requirement during the account creation process. Provide clear instructions on how to set up MFA and why it's necessary for their security. This helps in ensuring user compliance with the MFA enrollment process.

User Education and Support: Offer resources and support to assist users in setting up MFA. This could include documentation, tutorials, or even direct support channels where users can get assistance if they encounter any issues during the MFA enrollment process.

By implementing these steps, you can enforce MFA (OTP) at the user level for manually created accounts within FusionAuth, while still allowing federated Azure customers to access your applications seamlessly without requiring an additional layer of authentication.

I eventually solved this issue by activating the webhooks on each tenant level additionally. I was under the impression that if I set them on the instance level, they would automatically be applied to all the tenants, but that's not true. I must have missed that in the docs.

I found out that these are the ones I need to map, although when I mapped only favicon-128.png
it worked as well, so not sure completely but to some extends I know that these are the ones we need to map:

/usr/local/fusionauth/fusionauth-app/web/static/images/favicon-128.png /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-16x16.png /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-32x32.png /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-96x96.png

But IDK exactly what /usr/local/fusionauth/fusionauth-app/web/static/favicon.png is being used for. Anyhow, I've decided to ignore it for the time being and later (if something happened) maybe will change my mind 😄.

Dockerfile for those who might be also interested in my FusionAuth version FROM fusionauth/fusionauth-app:1.45.3 USER root # Install curl RUN apt-get update && \ apt-get install -y curl && \ rm -rf /var/lib/apt/lists/* USER fusionauth COPY ./apps/frontend/public/favicon.ico /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-128.png COPY ./apps/frontend/public/favicon.ico /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-16x16.png COPY ./apps/frontend/public/favicon.ico /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-32x32.png COPY ./apps/frontend/public/favicon.ico /usr/local/fusionauth/fusionauth-app/web/static/images/favicon-96x96.png For more details look at my repo & give it a ⭐ if you found it useful.

I had the same issue with SMTP and how to configure it. I can confirm that most likely it is an issue with how you have configured your SMTP and FusionAuth.

BTW I have created this monorepo which utilizes FusionAuth, Docker, mailcatcher, NestJS, and NextJS. Check how I wrote fusionauth.docker-compose.yml and how terraform is configuring FusionAuth. I also jot down here and there some infos about them, so if you like you can definitely read README.md files.

I also appreciate it if you give it a star on GitHub.

@mark-robustelli Thank you for the quick response. I appreciate you taking the time to consider the issue.

You raise a valid point about the possibility of pod issues. To clarify, here's additional context and observations:

Relevant Pods: The specific pods attempting to communicate with FusionAuth remain consistently up and healthy throughout the periods where FusionAuth becomes unreachable.

External Connectivity: Successful communication with external services like Google and Gravatar demonstrates that broader network connectivity from our pods is unaffected.

Dedicated Service: FusionAuth is a separate, dedicated service. The issue lies in our GKE cluster's ability to reach it sporadically.
Given this additional information, I'm now leaning towards these potential areas for investigation:

GKE Egress Rules: I have meticulously examined firewall rules and configurations within GKE that might selectively block traffic to FusionAuth. It's possible a misconfiguration could be causing this intermittent issue. However it seems unlikely as it is intermittent. It also doesn't happen after a deploy or anythign related to GKE availability.

FusionAuth Ingress Rules: I have double-checked the FusionAuth server's settings to ensure there aren't any firewall or IP-based restrictions accidentally preventing connections originating from our GKE cluster. There was one that i saw it went down and I added an allowed IP at the time. It didn't immediately solve it but it did resolve within the next few minutes.

Next Steps:

Would you have any additional guidance or specific areas I should focus on? Any insights on potential pitfalls in GKE's network setup or FusionAuth's configuration that might cause this behavior would be greatly appreciated.

The fact that it is intermittent is a problem that makes this difficult to solve.

Thanks again!

WarpStream is a Apache Kafka compatible data streaming platform. The Kafka Integration in FusionAuth can be used to integrate WarpStream with FusionAuth.

In the configuration, set bootstrap.servers to the WarpStream agent port such as localhost:9092. This is the port the Agent will listen on for Kafka client TCP connections.

@qbanole03 said in azure ad reply url:

followed this guide https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-adQuick Draw but keep getting the following error messages, would appreciate any help.

b97ebbfe-ff66-4394-a8a4-b99b6f4f220d-image.png

What do you think if you request to restore your password?

@truearrowsoftware Weird.

We won't fix that bug because we don't support mysql 5.7 any more (per https://fusionauth.io/docs/get-started/download-and-install/system-requirements#database ).

When you try to connect to mysql8, do you see any log messages in the startup screen or under /usr/local/fusionauth that seem relevant to share?

@richb201 I have never encountered a similar situation

@alex-patterson said in Node Version Compatibility:

@max-0 our SDK package.json can be found here https://github.com/FusionAuth/fusionauth-typescript-client/blob/master/package.json

In reality, we don't impose any limitations on a client, if something doesn't work well with your setup you can always exit from the SDK strategy and call the API's directly.

Hello! I think I should contact customer service

Thank you for taking the time to offer these solutions. Your support has made a challenging situation much more manageable.

@mike-rudat This might be of interest too: https://fusionauth.io/docs/extend/examples/device-limiting

@dan I know this is old thread and OP didn't reply. But I have same issue and I did see mysql Connector when I echo $CLASSPATH in script .. I am getting that It cannot access database. I am using Connector 8.0.33 but my mysql is 5.7 is that a problem? Because I check authentication setting to mysql and using PHP Script I can connect fine but not from fusionAuth 1.48

Thanks for the question.

FusionAuth allows you to create a custom theme. In this custom theme, you can add JavaScript (JS) that might offer you the analytics you are looking for. For instance, you could add Google Analytics or a similar JS engine to collect this metadata information.

Another option is that you can use webhooks to listen for login events (or related events). Most webhook events will include a field of:

event.info.userAgent [String] AVAILABLE SINCE 1.30.0 The user agent associated with the event.

Which might return data like

"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

You could collect and analyze this data to get a better understanding of how your users are interacting with FusionAuth.

Lastly, we do store some metadata on the refresh tokens (if you use our hosted login pages), which might be helpful for information-gathering purposes by Tenant.

"metaData": { "device": { "description": "Hooli Phone 8GB Work Phone", "lastAccessedAddress": "170.152.81.62", "lastAccessedInstant": 1487996477628, "name": "Richard's Hooli Phone", "type": "MOBILE" },

https://fusionauth.io/docs/v1/tech/apis/jwt#retrieve-refresh-tokens

Let us know if we can provide you with anything else.

@pradhanv88 I do not see an Identity Provider for BitBucket. You might want to open an issue with the team as a feature request here.

I recently embarked on the journey of integrating FusionAuth into my website, inspired by a discussion in the FusionAuth community forum

@daenerystargaryen56

Hmmm. Do you have any documentation from NextCloud for generic OIDC providers? FusionAuth usually works with generic documentation, so that might be a good place to start looking.

You can also enable debug on the FusionAuth application you are configuring and look in the event log to see if there is more information that might help you debug this issue.

@ghstahl I think we had a similar conversation on Slack 🙂

For future readers, if you want to be able to distinguish how a user logs in (which idp they use), this might be helpful:

If I were you, I'd look at two things:

the user login success event: https://fusionauth.io/docs/extend/events-and-webhooks/events/user-login-success which has the identityProviderId It is provided as an event, so I don't know if it'll work for you, but it will tell you on every login event which idp was used. You could possibly store that off someplace and build a system to exchange an id token for the idp used. I'd have to think more about how that works, but it might be possible. setting up in your own app a 'sign me in' button and not using an idp hint. You'd instead build the authorization URL for each idp and build a link for entry into each navigation area. https://fusionauth.io/docs/apis/identity-providers/openid-connect#complete-an-openid-connect-login You'd let the user login and then come back. The redirect URL could be different and that would be the distinguishing feature.
If a user started at /googlestart, clicked the 'sign me in' button, and arrived back at /googleendpage and had a valid token, the user went through the google process.
If a user started at /secretidp1start, clicked the 'sign me in' button and ended up back at the /secretidp1endpage with a valid token, then the user went through the secret idp 1 process.