@dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…
For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968
D
Best posts made by derjan
-
RE: Identity Provider that requires PKCSposted in Q&A
Latest posts made by derjan
-
RE: Password reset always fails with "Your password reset code has expired or is invalid."posted in Q&A
Got the right answer in the Slack channel – I needed to update the theme templates too
-
Password reset always fails with "Your password reset code has expired or is invalid."posted in Q&A
I recently upgraded from an old FusionAuth version around 1.19 to 1.40.2. Because it is a one node installation, I also changed the search from elastic to database (PostgreSQL).
Everything went smoothly, but since the upgrade the password reset (and the setup password) links always show a "Your password reset code has expired or is invalid" error.I've updated the email templates to include the new query params:
[#setting url_escaping_charset="UTF-8"] [#assign url = "https://my.fusionauth.url/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /] [#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list] ${url}which results in an URL looking like this:
https://my.fusionauth.url/password/change/<some_code>?client_id=<some_id>&tenantId=<some_id>&metaData.device.name=macOS%20Chrome&metaData.device.type=BROWSER&redirect_uri=https%3A%2F%2Fmy.fusionauth.url%2Ftorii%2Fredirect.html&response_type=code&state=<some_state>&timezone=Europe%2FBerlinThings I have tried/checked:
- Updated the email templates (see above)
- Checked if the clock/time on the FusionAuth server is in sync with NTP
- Increased the "External identifier durations" for "Change password" and "Setup password" to 24 hours (86400 seconds)
- Tested with different applications, accounts, browsers, and operating systems
- Checked the logs (nothing to see there)
What else could be the reason, and how can I fix this? Any help is appreciated.
-
RE: Identity Provider that requires PKCSposted in Q&A
@dan I'll go back to the client and see if PKCE can be disabled, but I'm not getting my hopes up…
For reference, the GitHub issue can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/968
-
RE: Identity Provider that requires PKCSposted in Q&A
@dan Thank you for the quick reply.
The identity provider is a client's instance of https://www.miniorange.com, and I'm trying to add it in
Settings -> Identity Providers -> Add provider -> OpenID Connect. -
Identity Provider that requires PKCSposted in Q&A
I'm trying to integrate an external identity provider that requires the Authorization Code Grand and a PKCE challenge method with S256.
I added the identity provider to FusionAuth, and the login window correctly shows the "Login with <my provider>" button, but I only get an "code challenge required" error back from this identity provider once I click the button.
Inspecting the call made to the identity provider I can see that the
client_id,redirect_url,response_typeandscopequery parameters are correctly set, butcode_challengeandcode_challenge_methodare missing (those are required according to the identity provider's documentation).Is there a way to enable PKCS for identity providers in FusionAuth?