@mou, Is this what you are looking for? https://fusionauth.io/docs/lifecycle/authenticate-users/application-authentication-tokens

@kiouplidis I found this in the documentation.

In version 1.50.0 and later, the UserInfo response can be customized with a lambda using the oauthConfiguration.userinfoPopulateLambda value of the application object. See UserInfo populate lambda.

In FusionAuth, you can add custom data to the oauth2/userinfo endpoint response using a Lambda function. This function can add extra claims to the UserInfo response. Here's an example of a simple Lambda function that adds a few extra claims:

function populate(userInfo, user, registration, jwt) {
  // Add a new claim named 'favoriteColor' from a custom data attribute on the user
  userInfo.favoriteColor = user.data.favoriteColor;
  // Add a new claim named 'dept' using a custom data attribute on the registration
  userInfo.dept = registration.data.departmentName;
  // Copy a claim named 'applicationId' from the provided JWT
  userInfo.applicationId = jwt.applicationId;
  // Create an event log of type 'Debug' when the lambda has Debug enabled
  console.debug('Added custom claims to the UserInfo response');
}

In this example, the favoriteColor and dept are custom claims added to the UserInfo response. These claims are derived from the custom data attributes on the user and registration respectively.
Please note that the Lambda function needs to be assigned to an application in FusionAuth for it to take effect.

Hello @yuval,
I'm not very familiar with Salesforce but when taking a look at the guide there is a step that says "Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.". What do you see when you try that?

If you are not getting that information, can you please describe in a little more detail what steps you have taken and when you receive the above message about the invalid iss?

I am running through the Integrate Your .NET 7 Application With FusionAuth quickstart guide and encountered the error listed below.

I think it has to do with following message in the guide:
The script set up a RS256 asymmetric signing key. FusionAuth supports this signing algorithm, but doesn't ship with a default key.

How do I add the required key to FusionAuth?

Error Message:
An unhandled exception occurred while processing the request.
SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '236bb45e-e88c-4f07-87ff-c93d6fb752a2'.
Number of keys in TokenValidationParameters: '0'.
Number of keys in Configuration: '0'.
Exceptions caught:
''.
token: '{"alg":"HS256","typ":"JWT","gty":["authorization_code"],"kid":"236cc45e-e88c-4f07-87ff-c93d6fb752a2"}.{"aud":"236bb45e-e88c-4f07-87ff-c93d6fb752a2","exp":1687312521,"iat":1687308921,"iss":"acme.com","sub":"e5e4a956-0f9d-4bec-9121-dededb20e00f","jti":"ca5d3d30-ef26-4e48-afcb-d5ba670ac2d4","authenticationType":"PING","email":"myemail@email.com","email_verified":true,"at_hash":"ANWNkB4EA34d0cr1A50zQg","c_hash":"eCEeL-bgcDFkzcpmNT5k9g","scope":"openid profile","nonce":"634229057201762476.ZDQ1NzEzZWMtM2M4OS00ODgxLWI3ZmEtNjJhZWY0MzhlOWYzN2I4ODdhNmQtYTI2OS00OTc0LThhOWEtYzc2OGEzYmIzN2M3","sid":"4fe9dcc0-1ce9-4819-a97a-47c38cb730b8","auth_time":1687308921,"tid":"a51e69f7-520b-6860-2d33-d1e12f797af9"}'.

@it-contracts Hello. I am pretty new to FusionAuth, but my understanding is that you are taking the correct steps. I am not aware of a way to do this within a single call.

Are you simply looking to be more efficient with the calls or is there some reason this workflow will not work for you?

What is the best way for analytics tracking after a user has successfully registered?

@it-contracts I apologize for misunderstanding your initial question. You and @kash are correct in that by using FusionAuth, it will appear to be one call from your perspective. However, in the background, FusionAuth will still need to make the same amount of calls to the the access token. And another nice thing about using FusionAuth is that you will be able to add other identity providers in the same way.

Does FustionAuth support multi-region active-active set-up for cloud services?

@it-contracts Can you please share the OAuth settings you have for your application? In the Fusion Auth Admin UI select Applications. Select Edit or view for your application. Share the OAuth and JWT settings. Be sure to remove any sensitive information before posting here.

@sandesh Thanks for sharing her on the forum. Hope you are able to accomplish your end goal with the APIs.

@ahcfrontdoor I set up an application with the setting you are talking about and was allowed to register and proceed without any re-direction. Can you share a screen shot of your application registration tab. Please be sure to black out any sensitive information if necessary.

@dan Great catch, no sure how I confused mfa and captcha. Thank you!

@muditshukla3 you can. Please check out this blog. https://fusionauth.io/blog/announcing-fusionauth-1-37#configure-mfa-requirements-for-an-application

@morten Check out this thread and please let me know if it works for you. https://fusionauth.io/community/forum/topic/2743/can-i-configure-a-tenant-application-as-an-external-identity-provider-for-other-tenants/8

@sandiprghane based on that info, I think the above method will work for you and as I mentioned, maybe check out custom scopes for third party applications if you have a license that supports it.

@rrock Does this have to be during the registration process? I found this under progressive registration in the docs. It suggests you "collect minimal user profile data to get users into your application with as little friction as possible. Then, you’d use the User APIs or User Registration APIs along with custom screens in your application to collect additional information."

@sandiprghane , For some reason, I have still been thinking about this question. We didn't get too much into the "why" you want this setup and if it works for you...that is great. I just want to throw something else out there for consideration.

While this is a premium feature, you may think about custom scopes for third party applications. FusionAuth has a blog post that describes this.

@mark-robustelli OK, this question became a brain bug and I could not let it go. I think I got it to work the way you want but it may be a little confusing. Here is what I did.

I have a couple of tenants; Default; Tenant 1, Tenant 2 (We can ignore Tenant 2) not used here.

I have a couple of users: Again, ignore test@example.com user in Tenant 2. Just note that test@example.com does not exist for the Default tenant.

I use the .Net Web Quickstart application as my test app.

I set up a Test Base Application for Login application. I now have 3 applications: FusionAuth(Default), ExampleDotNetApp (from quickstart), and the Test Base Application for Login (this will be the source of auth app)

(note that the ExampleDotNetApp belongs to a different tenant the the Test Base Application for Login application.)

I then set up an new OpenID Connect identity provider: "TestBaseApplication"

I set it up using info the Test Base Application. Then I enabled it in the ExampleDotNetApp and selected Create Registration.

Now, when I go to login to the Change Bank Quickstart I see the Login with Test Base Application button. (The text is cut off in the image because it is too long, but you get the idea)

When I click that button and login with the test@example.com user, it allows me in. When I go back to users, you can see the test@example.com user was added to the ExampleDotNetApp.

Now please be aware that the test@example.com user for the Default tenant is technically different than the test@example.com user for Tenant 1. They will have different User Ids. However now user test@example.com in Tenant 1 can log into the application in the default tenant.

For here you should be able to use the APIs to update whatever data you need.

Hope this helps.

@sandiprghane So you can create users with the same user info in different tenants:

However, they will ultimately be different users.

As far as a FusionAuth tenant using another FusionAuth tenant for and IdP, that is an interesting question. I should get some time next week to look into that. I will let you know what I find.

@damien, That is not the case, you can use WebAuthn with the licensed starter version as well. I did take a look at the website and sure enough, it looks like it may be out of date and indicates otherwise. Thanks for reaching out and making us aware. We will get it updated.