RE: Implementing GitHub-like "Personal Access Tokens"

@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

@kiouplidis I found this in the documentation.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

In FusionAuth, you can add custom data to the oauth2/userinfo endpoint response using a Lambda function. This function can add extra claims to the UserInfo response. Here's an example of a simple Lambda function that adds a few extra claims:

function populate(userInfo, user, registration, jwt) {
  // Add a new claim named 'favoriteColor' from a custom data attribute on the user
  userInfo.favoriteColor = user.data.favoriteColor;
  // Add a new claim named 'dept' using a custom data attribute on the registration
  userInfo.dept = registration.data.departmentName;
  // Copy a claim named 'applicationId' from the provided JWT
  userInfo.applicationId = jwt.applicationId;
  // Create an event log of type 'Debug' when the lambda has Debug enabled
  console.debug('Added custom claims to the UserInfo response');
}

In this example, the favoriteColor and dept are custom claims added to the UserInfo response. These claims are derived from the custom data attributes on the user and registration respectively.
Please note that the Lambda function needs to be assigned to an application in FusionAuth for it to take effect.

Hello @yuval,
I'm not very familiar with Salesforce but when taking a look at the guide there is a step that says "Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.". What do you see when you try that?

If you are not getting that information, can you please describe in a little more detail what steps you have taken and when you receive the above message about the invalid iss?

I am running through the Integrate Your .NET 7 Application With FusionAuth quickstart guide and encountered the error listed below.

I think it has to do with following message in the guide:
The script set up a RS256 asymmetric signing key. FusionAuth supports this signing algorithm, but doesn't ship with a default key.

How do I add the required key to FusionAuth?

Error Message:
An unhandled exception occurred while processing the request.
SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '236bb45e-e88c-4f07-87ff-c93d6fb752a2'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"236cc45e-e88c-4f07-87ff-c93d6fb752a2"}.{"aud":"236bb45e-e88c-4f07-87ff-c93d6fb752a2","exp":1687312521,"iat":1687308921,"iss":"acme.com","sub":"e5e4a956-0f9d-4bec-9121-dededb20e00f","jti":"ca5d3d30-ef26-4e48-afcb-d5ba670ac2d4","authenticationType":"PING","email":"myemail@email.com","email_verified":true,"at_hash":"ANWNkB4EA34d0cr1A50zQg","c_hash":"eCEeL-bgcDFkzcpmNT5k9g","scope":"openid profile","nonce":"634229057201762476.ZDQ1NzEzZWMtM2M4OS00ODgxLWI3ZmEtNjJhZWY0MzhlOWYzN2I4ODdhNmQtYTI2OS00OTc0LThhOWEtYzc2OGEzYmIzN2M3","sid":"4fe9dcc0-1ce9-4819-a97a-47c38cb730b8","auth_time":1687308921,"tid":"a51e69f7-520b-6860-2d33-d1e12f797af9"}'.

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

What is the best way for analytics tracking after a user has successfully registered?

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

Does FustionAuth support multi-region active-active set-up for cloud services?

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

@sandesh Thanks for sharing her on the forum. Hope you are able to accomplish your end goal with the APIs.

@chad-hurd Awesome that you got if figured out. Do you mind sharing what, specifically, was wrong with the setup? It may help others down the road.

@chad-hurd That is interesting. I will check this out over the next day or two and see if there is anything I can learn. Has anyone else had experience with this?

@batmysta, Thanks for clearing that up. Unfortunately, there is no way I know of to configure federated authentication with the FusionAuth Account Portal.

@batmysta, In general, you should be able to. Please check out our documentation on Identity Providers. If that does not answer your question, please give us a little more detail and we will see what we can do to help you out.

@manoj-patil Have you checked out the documentation on this? Is there something missing. I imagine that if you want all network traffic, you would have to configure that separately than the logs you get from FusionAuth activity since that would be at the networking level.

@rabah-laouadi What information is in the device.description that is not in the info section?

"info": {
    "deviceName": "macOS Chrome",
    "deviceType": "BROWSER",
    "ipAddress": "192.168.65.1",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"
  },

Or are you specifically trying to get a custom value in your url? If you let us know a little more about what exactly you want to accomplish, we may be able to find a way to get it done.

Also have you seen this post?

@jefferson-piscos, the debug enabled is under the OAuth tab. Go ahead and enable that and check the logs.

Also it is a little weird that you are redirected to a consent screen. Do you have any consents configured? You can go to Settings -> Consents in the Admin UI.

Then you can check the user and see if you have any set for the user you are testing.

Hopefully that will clear it up and you will be good to go. If not, let's see what those logs say.

@jefferson-piscos There are a few things that may be going on. Where are you you expecting to redirect to after successful login? Can you tell if that page is being hit or is it redirecting back to the login page because that is the page you set it to? Anything you can safely share about the application configuration in FusionAuth or code for your redirect page could be helpful.

It terms of tips for debugging, you can turn on "Debug Enabled" for the identity provider and then check the Event Log after you try to log in. Let us know if that yields any useful information.

@michaelginn529 What do you have your "Logout behavior" set to for the application? Any other specific configuration you can share would help as well.

@haziqt Sounds like FusionAuth is up and working except reporting the wrong IP address of the user on login. You may want to consider opening a issue.