A client reached out to us with the same issue, they are being forced to configure MFA even though they are doing an SSO login and the issue also seems to be intermittent. Hope Fusionauth comes up with a fix for this

@ronn316 We have some guidance about reaching out from FusionAuth to another machine on the network, but the right answer really depends on what the docker network configuration looks like.

Hi Mike,

I ran a test where 4000 url's were added to:

System Settings->CORS->Allowed origins

I used the

/api/system-configuration

API to add the url's. Note, the page itself now takes a significant time to load as 4000 url strings are being rendered.

Cheers

@abdoulaye-sow I'm seeing this in the /api/passwordless/start endpoint. The weird thing for us is that even though this is our Dev instance, we have no more than 5 concurrent users at the moment so we certainly shouldn't be overloading the system.

I'm starting to look into this now, but if you did find anything out I'd love to hear from you

It seems like FusionAuth's email server is acting up, even though SWAKS shows no problems with your own email server. You might want to try using other services like SMTPget or Amazon SES for sending emails through FusionAuth. Make sure your FusionAuth SMTP settings are set up correctly, and if the issue continues, contact FusionAuth support for help fixing it quickly.

@didier I'm not 100% sure what you mean by "expose twoFactorId in frontend part". I'm assuming you mean give the user a way to input the code. So yes, you will have to allow them a method to input their code and then complete the login. Please see here for more information.

@didier hmm, I guess you can do it by registering user in your backend (get username, and password from the user and register a user with those). Then you can just exchange the plain text username, password for JWT tokens and attch them to response cookies. Something like this: https://github.com/kasir-barati/you-say/blob/main/apps/backend-e2e/src/utils/login.util.ts.

If you're using FusionAuth Typescript client you can do it like this: https://github.com/kasir-barati/you-say/blob/main/packages/backend/auth/src/lib/services/mobile-auth.service.ts#L71

@qwandery,

OR, perhaps a new concept is needed in FusionAuth -- "Organizations" if you will -- that allows for granting users with different permission sets inside the same Application.

You should feel free to open up a feature request here.

@qwandery @Alex-Patterson I think it is also very beneficial to focus on some implementation details such as how our logout endpoint should not validate JWT token otherwise user might receive a 401 JSON response.

In my case I was validating it in my backend app (NestJS) so I thought it should be OK but now that I am looking in the rearview mirror I think I can see why I should not have done that 😓.

Ah BTW, here I am using NextJS (standalone) + NestJS. So it is not SPA.

Hi Mike,

You could add a logoutLink at the end of the template inside the end of helpers.main to logout and then redirect the user back to the registration page such as:

<div class="form-row push-top"> [@helpers.logoutLink redirectURI="${request.contextPath}/oauth2/register"]${theme.message("register")}[/@helpers.logoutLink] </div> [/@helpers.main]

The template would display for example with the link titled register at the bottom of the page in the attached screenshot.

Screenshot 2024-05-02 at 23.54.08.png

Cheers

Ok. I see "userId" property. Not easy to undertand !

@andy-2 are you talking about self-hosted or Fusion-Auth hosted?

@admin-9 I have not worked with Metabase, so I don't think I can be of help there. I do want to make sure you have seen the documentation on configuring FusionAuth as the Service Provider.

It is worth noting the bit about opening up a request for FusionAuth to provide additional examples on Github. It may be worth you time to do that.

@essamkayall1996 Are you able to debug and confirm "client' is in the list of user.roles? Also are you saying that no page renders? What error message are you getting? It looks like in either case of if statement that you are returning the same page.

@fin When you say the cookies are blocked, what error message are you getting? What do you mean by blocked?

@vandaele-seba Could be better that this model exists in FusionAuth C# library. To be sure have a compliant model with new FusionAuth versions

It sounds like you have a complex identity management setup with various types of users accessing your applications. To address the requirement of enforcing MFA (OTP) at the user level rather than the application level, you might need to adjust your approach slightly. Here's a suggestion on how you could resolve this:

Customize User Registration Process: When creating user accounts manually within FusionAuth, you can customize the registration process to include mandatory enrollment of MFA (OTP). This could involve adding a step during account creation where users are prompted to set up MFA, and they can't proceed without completing this step.

Use FusionAuth Hooks or Lambda Functions: FusionAuth provides hooks or Lambda functions that allow you to execute custom logic during various events, such as user registration. You can leverage these hooks to enforce MFA enrollment for manually created user accounts. For example, you could write a custom hook that checks if the user account was created manually and if so, requires MFA enrollment before allowing the account creation process to complete.

Communicate MFA Requirement Clearly: Ensure that users are aware of the MFA requirement during the account creation process. Provide clear instructions on how to set up MFA and why it's necessary for their security. This helps in ensuring user compliance with the MFA enrollment process.

User Education and Support: Offer resources and support to assist users in setting up MFA. This could include documentation, tutorials, or even direct support channels where users can get assistance if they encounter any issues during the MFA enrollment process.

By implementing these steps, you can enforce MFA (OTP) at the user level for manually created accounts within FusionAuth, while still allowing federated Azure customers to access your applications seamlessly without requiring an additional layer of authentication.

I eventually solved this issue by activating the webhooks on each tenant level additionally. I was under the impression that if I set them on the instance level, they would automatically be applied to all the tenants, but that's not true. I must have missed that in the docs.