This might be useful for visitors in the future: https://fusionauth.io/docs/extend/examples/device-limiting

Hey FusionAuth fans,

I've just come up with a brilliant idea, why not utilizing theme message? I have working example here. Just a quick run down on what I have done there:

I am adding a new message key-value pair to my default custom theme called frontend-app-url. Implemented in a terraform resource named custom-theme. It is a bit hacky of course. I am using it in my change-password-complete.ftl

And this way I worked my way around it 😂

Hopefully this will help you, do not hesitate to give this repo a ⭐ in GitHub.

Hey folks,

Coming from the future. I just decided to change my docker-compose.yml to use network_mode: host therefore my former comment is no longer valid. Please look at my monorepo on how I am utilizing Terraform, Docker, mailcatcher as my local SMTP, NestJS, and NextJS.

I also wrote a couple of README.mds here and there for future references.

Feel free to give it a star on GitHub and or better yet use it.

There is no way to get back information from FA when it calls your connector endpoint. What I ended up doing was creating separate applications for each portal in our app. WHen FA calls my connector, now I can look at the incoming applicationid and know which portal this user belongs too and that solved my issue.

@bill-yudichak Can you please get us a little more detail. A screenshot may help. I do not see a "Go Back" link when I enable multi-factor for my app. Also, what is the accountTwoFactorIndex template you are referring to?

@marshsouvlakia What version of mysql are you running? Were there any updates recently? Anything that may have changes from when it was not working to now? Have you tried a restart?

@yves So I found this that may be of interest to you.

For the Authorization Code Grant, if the clientAuthenticationPolicy value is Required, the client secret is required. If the value is NotRequired, the client secret is not required. If the value is NotRequiredWhenUsingPKCE and PKCE is used, the client secret is not required. If PKCE is not used, the client secret is required.

What is your setting there?

@dan Oh I see. The error in the response says:

"because it was missing a unique id in the [user.id] or enough information to store in FusionAuth (i.e. an email or username)"

In other words, "either Id or email" is missing from your request. Which makes boolean sense when thinking about it carefully.

But when first reading it, I though it meant "you need either Id or email", which is very different. I supplied one of those. I though that was what the "or" meant.

This error could be better as:

"because it was missing a unique id in the [user.id] or enough information to store in FusionAuth (i.e. an email or username). Both are necessary"

@infobrother4 So which way are you trying to move information? Into FusionAuth from Workday or into Workday from FusionAuth? What connecter are you trying to use?

@mark-robustelli Oh ok, I'll set the password to a UUID then and set the user to change password on login. I'll try on Monday. Thanks for the forum link.

@dan Thank you for the prompt response I will give this a try soon.

This is possible today using a Google Reconcile Lambda. Our Lambdas allow arbitrary JavaScript to be executed during a login event. You can write logic to check the user's domain and assign them the appropriate role associated with the FusionAuth Application they're authenticating through.

Below is a code example demonstrating how you could implement such logic:

function reconcile(user, registration, idToken) { function extractDomain(email) { // Split the email address by '@' symbol var parts = email.split('@'); // Return the second part which represents the domain name return parts[1]; } // function to extract the email domain from the user object and stores in domain variable var domain = extractDomain(user.email); // Conditional statement checks domain for fusionauth.io and adds 'counsellor' role, if any other domain exist adds 'user' role if (domain === 'example.com') { registration.roles.push('teacher'); } else { registration.roles.push('user'); } //This is optional, but is good to have for debugging purposes. The results will be returned in the event logs. console.info(registration.roles); }

The best solution here would be to use entity management.

You can create an entity type of Session or similar.

Each time you have a user log in, you can create a Session and set the .data.session_identifier field to the value of the device fingerprint + business specific indicator, and store the access token as the value.

When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.

For expiration, you can use the access tokens exp claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the .data field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).

Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)

@dan said in logout questions:

've got a question about logout.
When logging in using the /oauth2/token route with the auth wordle code grant, it seems the /api/logout route does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.

Regarding user identification during logout, the OAuth 2.0 specification doesn't define a standard logout endpoint. Logout processes are often application-specific, and the mechanism to identify the user being logged out might depend on the authentication framework or technology being used.

@jawaid-karim Are you setting all the headers mentioned here? https://fusionauth.io/docs/operate/deploy/proxy-setup

If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.

@thomas-wojeck

Have you turned on the debug logs and looked in the event log? That's what I'd start doing to troubleshoot.

More here: https://fusionauth.io/docs/operate/troubleshooting/troubleshooting#enabling-debugging

@info-0 are you able to use our global one?

https://local.fusionauth.io/ will redirect to http://localhost:9011

If not a great option is to setup ngrok
https://fusionauth.io/docs/get-started/download-and-install/development/exposing-instance

ngrok http --request-header-add 'X-Forwarded-Port:443' 9011

@fusionauth-qhj5e I have brought this up internally, for now we are considering adding a PR to make it more clear for users.

https://github.com/FusionAuth/fusionauth-site/pull/2918