@bradley-kite said in OIDC and Azure AD Groups:

Is there a way I can get an access token from within the Lambda?

👋 hiya @bradley-kite !

I haven't tested this, but there should be a refresh token stored in the identity provider link (since you are using OIDC). If you can retrieve that, you should be able to get a new access token, and then present that to azure ad.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/links#retrieve-a-link

Look for identityProviderLink.token.

@egli This is not currently possible, but will be released in 1.47: https://github.com/FusionAuth/fusionauth-issues/issues/1738

@matthieu , that is understandable. Keep in mind if you are adding a lot of products often, you can use the APIs to help create and manage those permissions.

I.E. Create an Application Role, Create an Entity, Update a User Registration (for updating roles)

Managed domains are only available with the SAML and OIDC providers, not other kinds of identity providers (like Apple, etc)

If you are interested in which features of FusionAuth are premium, please see FusionAuth Premium Features.

You can achieve it by configuring an IdP with a managed domain.

For example, you can configure an OpenID Connect IdP (it doesn't have to have real values) and configure a managed domain for something that won't match anything practical such as no-match-domain.com. If this IdP is enabled it will cause FusionAuth to ask for the email separate from the email address.

*This will only work for SAML and OIDC Idps, not other kinds like Apple, etc. as managed domains are not supported.

Depending upon your use case, there are a few ways to get at that data.

You can use a JWT Populate lambda to add additional claims to the JWT from values stored inside user.data. You can then access these claims in the JWT after you validated it decode it yourself. Or, if you use the FusionAuth UserInfo endpoint, we will return the claims in a JSON response after we validate the token.

*Keep in the JWT Populate lamda you can add whateve you want. Any custom claims added to the JWT will then be returned by the UserInfo endpoint. In most cases it is better to keep the JWT small.

You can use the OAuth2 access token (JWT) to retrieve the user with the User API. This will return the entire user object include anything stored in user.data. This is done by making a GET request to the User API and providing the token in the Authorization header Authorization: Bearer <encoded JWT>

Make sure you these 4 headers in your proxy

Forwarded-Proto: typically this will be https. This ensures any redirects are sent with the appropriate scheme. Forwarded-Host: The original host requested by the client in the Host HTTP request header. Forwarded-For: The originating IP address of the client. Forwarded-Server: The hostname of the proxy server.

@eric-vigiani please open a support ticket: https://account.fusionauth.io/account/support/

One option would be to use Events & Webhooks. Depeneding on what you want to track, you may be interested in the following events:
-[user.registration.create]
-[user.registration.complete]
-[user.registration.verified]

You could also enable the email verification gate. Then you could call your tracking event on this themed page which would only be fired when the user exits the Email Verification gate as the result of completing their email verification during registration.

Another option may be to add an UTM code to the redirect_uri used for self-service registration and consume that in your application as the result of a user completing registration.

It depends on how you setup the database. FusionAuth only needs compute nodes (easy to have in multiple regions) and a postgresql or mysql database (which supports foreign keys, so things like planetscale are out). If you set up an active-active db, it should work. Be sure to load test it and validate.

Yes, if you have API access. Please find the documentation here: Passwordless APIs

The process would go like this:

Call Start /api/passwordless/start, capture the code code. Call Login /api/passwordless/login with code Get a JWT and do with it what you normally would

For a Two Factor setup you would:

Call Start /api/two-factor/start consume code Call Login /api/two-factor/login with code Get a JWT

If the end user never needs to log themselves in, you may also consider:

Assign a random application password to a user. Use that known password to call the Login API Get a JWT! Optionally remove the application password if you want it to be a one time use password.

This does have the issue of not creating an SSO session for the user, but that may not be a problem. (If someone logs in this way, and then goes to another application which has a login page managed by the 'hosted login pages' of FusionAuth, they won't be automatically logged in.)

This should work, though this is not a common config.

Here are the suggested startup and liveness probes which worked for a community member:

I have configured the startup and liveness probes as follows, and they are working well: Startup probe http /api/status periodSeconds: 2s initialDelaySeconds: 0s timeoutSeconds: 1s failureThreshold: 10 Liveness probe http /api/status periodSeconds: 10s initialDelaySeconds: 0s timeoutSeconds: 1s failureThreshold: 3

More details and discussion on the GH issue: https://github.com/FusionAuth/fusionauth-issues/issues/1980

You will have to add the key to your FusionAuth instance as in this post.

In the FusionAuth admin page, got to Settings --> Key Master
e1482d56-5555-4d96-9c6a-1eeef98f87d2-image.png

Click "Generate EC key pair"
90f479ab-302c-4660-8157-03e3a8bfe58e-image.png

Fill in the information - I used JWT Signature - Asymmetric RSA Key Pari (RS256) for the name
5b7ddb83-c764-4000-87f8-cc3384d05429-image.png

Go to to Applications in FusionAuth admin and select edit on your application.

Select the JWT tab

Select Enabled
b6505e8e-1e2b-46c1-bfa6-56d7bfa0a5ba-image.png

In the JSON web token settings select the key you created in the above step.
becb03a2-81bf-4f1e-be82-34526e8c410f-image.png

@iwky You're spot on. My only suggestion would be to script the application configuration so that it is easy to create and update the FusionAuth configuration as you add new tenants.

You'll receive an error in both scenarios.

If you are using the web interface, you'll get a red message saying "Already exists".

forum-edit-user-email.png

And if you are trying to use the Update User API endpoint, you'll receive a HTTP 400 Bad Request error:

forum-edit-user-email-api.png

Even though we don't have specific SDKs for mobile apps, we do have a Flutter quickstart which uses our Dart client library.

If you want to develop natively, we recommend using AppAuth, which has iOS and Android SDKs and is maintained by the OpenId Foundation:

https://github.com/openid/AppAuth-iOS https://github.com/openid/AppAuth-Android

There's also a FusionAuth Swift Client maintained by the community.

Hi there!

Please make sure that you have selected that Lambda in your Application by navigating to its edit page, going to the JWT tab and choosing it on Access Token populate lambda.

For instance, my (extremely simple) function looks like:

function populate(jwt, user, registration) { jwt.customClaim = 'gotcha'; console.debug(JSON.stringify(user)); }

And I received the following access token with that customClaim at the end:

235241bf-3086-4565-a424-a14398bdcafd-image.png

@beezerk I'd suggest modifying the theme and adding a link and a meta redirect. I don't think there's any way to specify a redirect.

This has been fixed in version 1.46.0, which should be released soon.

You can track it at the issue above.

Thanks for reporting, @ndiarmand !

Also, I added some documentation to help folks to find this easier: https://github.com/FusionAuth/fusionauth-site/pull/2219

Should be live in a few minutes.