@sujata-kattimani

You can change the password using the User API and updating the user's password attribute:

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Does that help?

@dan said in Wrong logout URL being returned ?:

@francis-ducharme What is your setting for logoutBehavior for each application config? All applications or redirect only?

By default it is 'all applications' which means that FusionAuth, on logout, will call each application's logout url (to ensure that the user is logged out of all applications). It does this via an iframe, so I'd expect both to be requested. https://fusionauth.io/docs/v1/tech/guides/single-sign-on#configure-the-applications-in-fusionauth has a bit more.

I'm not sure why you are ending up at localhost for the dev app, though.

That was it. All my application's logout behavior were set to "All Applications". "Redirect" only made it so the browser doesn't get redirected to "localhost".

Thanks!

Validating the token on every new connection is considered best practice as it is the most secure.

There are two ways to validate a token. You can do it within your own application code leveraging a library that checks the signature and validates the claims (this only works when you sign your JWTs with a public key). Or you can do it by calling out to FusionAuth, and then validating the claims. For scalability/simplicity reasons, we recommend using the library unless there are reasons it won't work

By doing this server side using a library you no longer need to make the API call to FusionAuth to perform the validation. You would only need the public key of whichever signing key was used by FusionAuth. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master#overview The public key is available via JWKS.

When using keys we also recommend you think about key rotation, explained in more detail here: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation

If you decide on leveraging the endpoints (making a call to FusionAuth) for validation, here are a couple links that can be used depending on your scenario.

https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwt (proprietary)
https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo (part of the OIDC standard)

In both cases, you must validate the claims. Some are standard, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/anatomy-of-jwt#claims-to-verify

But there may be app specific custom claims your code should verify too.

@philip-smith This looks similar to this prior discussion: https://fusionauth.io/community/forum/topic/1082/do-not-enforce-minimum-password-life-restrictions

I don't know of any workaround, but this seems like a reasonable request.

You can file an issue requesting this functionality: https://github.com/fusionauth/fusionauth-issues/issues and we'll put it in the backlog.

@dan-anderson

I'd probably look at a transactional webhook on the login success event. That code can examine the user, call out to AD if needed, and if it returns a non-2xx status, will prevent login.

More here: https://fusionauth.io/docs/v1/tech/events-webhooks/

@mgetka thanks so much for the explanation.

"to redirect iOS users directly to pseudo protocol. And redirect all the android user to a custom interstitial site. "
I believe this would be the only option for the time being.

Deep Linking doesn't work at least for my application:
Flutter -> flutter_appauth(4.0.1) -> fusionauth

While the same scenario could work with Auth0, following this blog.

Comparing with the solution with FusionAuth.
FusionAuth open a new tab for Facebook and Google login.

While Auth0 continues on the same page with a page redirection.

I'd probably use a transactional registration webhook for the first situation. This can return a non 2xx status if the domain is unacceptable and the registration won't complete.

For the second one, you could use a populate JWT lambda to add the role to the token if the user has the correct domain. If you need it persisted you could call FusionAuth APIs within the lambda (this functionality is limited to certain paid versions) or use a registration complete webhook to augment the roles (but this won't help with the initial registration, so should be combined with the lambda if used).

More here: https://fusionauth.io/docs/v1/tech/events-webhooks/ and https://fusionauth.io/docs/v1/tech/lambdas/

Also, we just updated the pricing page to make it clearer that the Community edition can be used with commercial applications.

@jitendra-sabat

We don't have an out of the box form control for a multi-select, but you can create one using the theme customization. You should start with a custom form field with a check box form control type because it supports multiple values.

As long as the serialized version of the form is valid and matches the data type you set in the field definition, it should work.

So, start with the checkbox list, and ensure that is functional, and then you can re-write that control or style it however you want in the themed template, or via JavaScript.

@jitendra-sabat

Hiya,

You can add keys to the messages.properties file. Here's a blog post that illustrates this: https://fusionauth.io/blog/2020/09/01/theme-registration-form

In that post, the registration.data.minprice field is one of the custom fields.

This is all what the event log says:
0bb4ffd1-ffcd-4cd9-b697-0689dd727794-image.png

It seems there is a similar issue reported here:
https://fusionauth.io/community/forum/topic/835/cors-error-when-posting-to-oauth2-token/7

It's working when I use postman

Doc PR here: https://github.com/FusionAuth/fusionauth-site/pull/1427

Seems like it doesn't work until the gated unverified behavior feature is enabled.

Although this is confusing because FusionAuth accepts my new form field verification strategy setting but just ignores it.

@jlinton

Is it possible to leverage what is described in this post?

https://fusionauth.io/community/forum/topic/663/force-google-account-selection-on-every-login

Also, how entrenched are you with SAML?

@fred-fred said in Where to put SAML metadata if FA is acting as IDP?:

But it looks like this is the only place to enter SP metadata info, correct?

I'm not sure I understand what you mean.

@pete-brar

I know we've had some customers ask for this, but I'm not aware of anyone. I imagine it shouldn't be hard to write an ingester--listen to the event logs webhook and push to DataDog.

Here's a sample AWS lambda that listens to FusionAuth events and pushes them to S3: https://github.com/FusionAuth/fusionauth-example-lambda-webhook

Maybe you could re-use some of that code?

If you end up doing so, please share any findings here; I'd love to know how it went.

@nathan-0

Hmmm. That's no good!

What version of FusionAuth are you running?

What changes are you making? Have you tried making different changes?

There's also often some confusion between verify registration and verify email, so are you sure you are walking through the correct workflow?

@theo This is a good use case for entity management. You can model workspaces as entities and then grant a single user account permissions for each workspace as needed.

This is a slightly different model, because the user still has one account, though.

Here's more details: https://fusionauth.io/docs/v1/tech/core-concepts/entity-management

Note that entity management is a feature requiring a paid license.

@theo You'll want to look at step up auth.

It's documented here: https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#step-up-auth