Hi @andrey-dzhezhora,

From our conversation outside the forum:

You are attempting to enforce email verification, i.e. gate users for OAuth password workflow. Your users were able to get a JWT despite not verifying their email address You are using your own hosted oauth/authorize page You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.

Problem:

You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.

If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.

Solution:

The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.

Disclaimer:

If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.

@ctorres

Ah. There's no way to convert cookies. I mean, I guess you could proxy all FusionAuth access through an NGINX instance or something like that, in which case you'd control the cookies, but there's no setting in FusionAuth to modify the cookies. Feel free to open a feature request referencing this forum post if you feel like it'd be a good feature.

For the present, you might be able to make a GET request against the logout endpoint in the window.close event listener.

A bit of googling turned this up: https://stackoverflow.com/questions/6162188/javascript-browsers-window-close-send-an-ajax-request-or-run-a-script-on-win

Let me know if you experiment and find a way to do this; I'd be interested to learn what works.

@dev-2

Resolved in version 1.36.7 via https://github.com/FusionAuth/fusionauth-issues/issues/1654.

https://fusionauth.io/docs/v1/tech/release-notes#version-1-36-7

@dhait

You should copy the default theme (which is immutable) and then modify the CSS file.

https://fusionauth.io/docs/v1/tech/themes/#templates has some documentation:

Stylesheet (CSS) Optional This CSS stylesheet may be used to style the themed pages. This CSS will be included in the head tag in the Helpers head macro. You may also choose to include other remote stylesheets by using the <style> tag within the head macro.

Created the github issue - https://github.com/FusionAuth/fusionauth-issues/issues/1795

Update: Never mind apparently, cleaning the project seems to have did the trick and I am able to use the client without issues. I will post back if I encounter other issues. Thank you!

@dan Oops! thank you so much Dan, it worked as a charm. I was fooled into leaving this header in because I tried the exact same request setup using one of these free api endpoints instead of fusionauth api and it worked with the content-type included. Thanks again

@vince Hmmm. That sounds like a network connectivity issue. Googling for Client network socket disconnected before secure TLS connection was established shows that a lot of folks have proxy issues.

Can you run curl on the same host and see if you can get to FusionAuth successfully?

@jbtruffault Glad you figured it out, and thanks for sharing that link!

@fusionauth007 yo! I filed a Github report on this, check out Trim whitespace from user input on backend (username/emails) #1779

I’ve detailed a workaround we’ve got running in prod 👍

@alton

Does FusionAuth have an equivalent to Auth0 Organizations (B2B scenario) where users can log into the same organizations as their team members (colleagues).

The best way to model that is using entity management: https://fusionauth.io/docs/v1/tech/core-concepts/entity-management

We unfortunately don't have a sample application showing this behavior, but know that folks have implemented that type of behavior using this feature.

Also invites can be sent to email addresses for pre-registered users (with configured roles) under the same organization/company.

Some FusionAuth community members use the Setup Password template (which is sent whenever a user is created via the API without a password) to offer invite-link functionality.

@arjunyel

Connectors are documented here: https://fusionauth.io/docs/v1/tech/connectors/

Machine to machine auth is the client credentials grant: https://fusionauth.io/docs/v1/tech/oauth/#example-client-credentials-grant

Does 100 Machine To Machine Auth mean you can have 100 API entities?

Yes, that is correct.

@dan unfortunately not yet in production due to issues not depending to me... but the cluster seems working... I also succeed to perform a software upgrade to the latest fusionauth version.

@jared GitHub issues are the right place for feature requests, thanks!

There's an 'additional context' section for feature requests, and you can feel free to link back to these forum posts. That can help enrich the discussion when the eng team reviews requests to prioritize them.

Cheers!

@crystar Another choice would be to utilize custom integration code in order to set a cap on the number of sessions (refresh tokens) that a single user is permitted to have scoped to them.

how to make our login credential more secure of my website. You can use the change wp login plugin in your wordpress website to make it more secure.

There are plans for enhancing MFA in the future. You can view this github issue for details and progress: https://github.com/FusionAuth/fusionauth-issues/issues/960

If you don't see an issue corresponding to your desired enhancement, please file one.

@agalemmo I'm not sure I'm following. It sounds like you are saying:

I want folks to reach the password complete page I want the client_id to be present (for styling) But I don't want the redirect_uri, because that sends the user elsewhere

Is that correct?

Would it be helpful to you to add another redirect_uri (you can have multiple configured for an application) that took someone to a 'password change complete' page that you (not FusionAuth) hosted?

@seednextsrl you typically don't use the access token as a login password.

The access token is what you present to other applications as proof that someone has logged in.

There are a few FusionAuth APIs you can call and present the access token as a means of authentication. They are marked with a little blue person.

Here's more about API authentication: https://fusionauth.io/docs/v1/tech/apis/authentication

Here's an example of an API which uses a JWT to authenticate: https://fusionauth.io/docs/v1/tech/apis/users#retrieve-a-user (scroll to the "Retrieve a User using a JWT" section).