Posts made by richb201

@dan Well I took a look through my code and see that it is trying to reach

http://fusionauth:9011

Is that no longer valid? My browser can't seem to find it.

@dan , can you give me a hint of what 'yourfusionauthhost' is?

It has been about 2 years since I was fooling with Fusion Auth. At that time I had gotten the passwordless working fine, but did have issues with the regular authentication. Perhaps I am just not smart enough. I eventually moved over to Okta for the regular authentication and it seems to work fine. And people still ask me what my tee shirt means!

Anyway, now I am back to working on the passwordless surveys part which still uses FusionAuth. I tried it out yesterday but it didn't work. So I thought maybe there was an error in the dashboard. But now I can't find the dashboard. Does it no longer exist?

Rich

Can't log in to my server. It is located at staging.researchstudyonline.com:9011.
My password keeps failing. I then tried the "forgot password" link. It says that it sent an email but the email never arrives.

I had to split the server into two different copies. One at researchstudyonline.com and one at staging.researchstudyonline.com.

The old one, researchstudyonline.com:9011 I can get into fine. But the new one staging.researchstudynline.com:9011 won't take my password. Does each possibly have its own apiKey? I created a second copy of the fusionAuth database file since I thought that two different servers couldn't share a single file. Was I wrong?

What to do?

Thanks. I set up two databases now instead of just one and having both production and staging share it. But I find when I go into the FA control panel on staging and change things such as paths it changes the paths for both the staging and the production servers.

Where do I specify (for each server) what database should be used?

I have set up a staging server called stage.researchstudyonline.com. It is running parallel to my real server researchstudyonone.com. So they are two different domains and thus use two different fusionAuth servers. They both use the same mysql RDS database.

I can log into the original one fine. But my userid/password doesn't work on http://stage.researchstudyonline.com:9011. How can fix this? Must I create a separate database for the staging server?

Hey Dan. It has been a long time! I just can't get past the passwordless problem I have with fusionAuth. Your help has been stellar but I really need to hire someone to get me over the "hump". Seems like there are not too many people out there that have a working knowledge of FA. I have tried to find one! Can't hire help and can't get community help leaves me with no options.

I took a look at https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-sessions/ and will try to switch over to using this method since it seems well documented. I will probably need to find someone to update the themes if I get it going. Good luck on that!

I really like the diagram which shows the message flows in it. Is there a document, just like oauth-authorization-code-grant-sessions but for passwordless? That diagram, but for passwordless, would definately help.

Thanks. I read the Modern Guide to Oauth yesterday. In it I see that this code is being used to condition the URL prior to sending.

function base64URLEncode(str) {
  return str.toString('base64')
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');
}

I don't know what language this is in. Where can I find a php version?

I also saw a document up here on porting from fusionAuth to auth0. I am considering going the other way. Do you guys have a document describing how to do that?

Joshua, I have been trying for over a year to get an answer to why my passwordless login is failing. I do have it working in another part of my application so I know it works.

I also know that fusionAuth is interested in signing up paid users and i am aware of my Linkedin (which i don't really use for security reasons) being perused by some of your marketing people. I just don't know how you get signups without customer success?

I am ready to launch and need to get the passwordless working. Is there a consulting arraignment I could set up to fix this one little issue? You must know an ex-FA employee who would like to make a few extra $?

And here is the code that causes that:

        $request["applicationId"] = $_SESSION['applicationID_login'];

        $request["loginId"] = $email;
        $request["state"]["redirect_uri"] = "http://researchstudyonline.com:81/index.php/Configure/report_generator_amazing";
        // $request["state"]["client_id"] = $_SESSION['applicationID_admin_register_login'];
        $request["state"]["client_id"] = $_SESSION['applicationID_login'];
        $request["state"]["response_type"] = "code";
        $request["state"]["scope"] = "openid";
        $request["state"]["state"] = "$email";
        $requestJ = json_encode($request);   //convert the array into json
        $result = $_SESSION['client']->withTenantId($_SESSION['tenantID_login'])->startPasswordlesslogin($requestJ);
        if (!$result->wasSuccessful()) {
            log_message('error', $result);
        }

        $code = $result->successResponse->code;
        //send the email
        $request = array();
        $request["code"] = $code;
        $request["X-FusionAuth-TenantId"]=$_SESSION['tenantID_login'];
        $request["user"]["data"]["admin_email"] = $email;
        $requestJ = json_encode($request);   //convert the array into json
        $result = $_SESSION['client']->sendPasswordlessCode($requestJ);
        if (!$result->wasSuccessful()) {
            log_message('error', $result);
        }

Are there any error messages in a log?

It has been a year since I first complained about getting this error. I am wondering if there have been any revelations since that time? I have switched over from using my laptop with ngrok to using EC2. I am getting the same exact error (from the same code). Just as a reminder, I am sending the passwordless email to a user. When they click on it they get this popup from fusionAuth.

{
"error" : "invalid_request",
"error_description" : "Invalid redirect uri https://researchstudyonline.com:81/index.php/Configure/report_generator_amazing",
"error_reason" : "invalid_redirect_uri"
}

Is there anyway to see what is causing this error?

@maciej-wisniowski
Thanks. Yes, I am using docker compose. And all the parts are running in a single container. The idea is to make each container (thus each server) a "system unto itself", with its own landing page, application and FA.

Now on FA, I guess I really only need one on the main server. When users try to login to a specific server, they will go to my app running on that server. I will try to authenticate them on the FA on the main server. The way I see it, which server (and thus which FA) they use doesn't matter since they are all connected to the same mysql RDS.

Once authenticated (by the main server's FA) they will remain on their server. The problem I see is that I need to send FA the IP address of the server they will be logging into. But I don't know that IP address, since the AWS load balancer made that decision without me being involved. Any idea how to tell FA what IP to use when I don't know it? On my development machine I just use ngrok which points at localhost.

It has been a while. I have my app finished except for the FA part. The way that this is architected is that in my docker container I run Apache with my app, FA, Wordpress. I need to get this container running on my Ec2 instance. Do I need to install FA onto the server by itself? Or is the fact that it is running in my container mean that once the container is uploaded to the server, FA will be up there too?

Are there any directions for installing FA to a server?

@richb201

I needed to set $request["X-FusionAuth-TenantId"]=$_SESSION['tenantID_login'];

The documentation says that this is optional. But not in my case. Addendum: I ran it a few times and it worked ok. I went back into FA to change the location of the URL, saved it and again it doesn't work. This is just way too unstable for me to use passwordless w/o having a decent error message. I am going to switch over to passworded login, unfortunately. One more last question. When I get back the "code" do I need to manually convert it to a token, or is this done automatically?

On a regular old password method, I'd only like to allow them to log in if they are already on my email list. I have a way to check that. Is there some way to use a webhook to launch a check (of sendPulse) to make sure they are on my email list?

The bottom line is that the error says that the redirect URI is in error.
{
"error" : "invalid_request",
"error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing",
"error_reason" : "invalid_redirect_uri"
}

The error should say missing "X-FusionAuth-TenantId"

I have changed everything to point localhost. I have checked over the ID's and they seem OK. Here is the error I keep getting:
{
"error" : "invalid_request",
"error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing",
"error_reason" : "invalid_redirect_uri"
}

Here is the code. It sends the email just fine. When the receiver gets it and clicks on the link they get the above error. BTW, I have passwordless working fine in another application with another tenant.

At this point I want to switch over to having a user register with a password and be able to login. Can you point me to the proper Guide? I am looking for your basic registration and login. Nothing fancy. I am thinkin that I need to use multi tenant since I have a passwordless app running too. Right?

Well, I have been informed by AWS tech support that when I do a "snapshot" of my RDS database, the entire dbase is being back up.

But I am concerned that FA was not written to keep ALL THE DATA in the database? Can you confirm with me that if I install a new copy of FA , as long as it is connected to my same gloabl database, it will work exactly like the other servers?

My user is getting the email that they can log in. Here is the raw email that the user is getting:

Received: from 10.253.233.84
 by atlas107.free.mail.gq1.yahoo.com with HTTPS; Tue, 15 Jun 2021 13:39:59 +0000
Return-Path: <0100017a0fe672e1-2da23800-1edd-4c6e-9141-d233317fb630-000000@amazonses.com>
X-Originating-Ip: [54.240.48.39]
Received-SPF: pass (domain of amazonses.com designates 54.240.48.39 as permitted sender)
Authentication-Results: atlas107.free.mail.gq1.yahoo.com;
 dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;
 spf=pass smtp.mailfrom=amazonses.com;
 dmarc=unknown header.from=substantiator.com;
X-Apparently-To: richardbernstein219@yahoo.com; Tue, 15 Jun 2021 13:40:00 +0000
X-YMailISG: epGYStgWLDsWCq8pwIiTpGmtjoQrowrDPq9_3kwcKGZjFa2K
 an3s2H5MXNzeyAi4rGZAwWZcxtQooNv4lQDVsQyf_7S_tb_8j7zo4fy9usni
 yt.gFIFUAZQX04r9L7krXtPy.S6SY89ecopiN.8Z7eQn32Js3MC49OVEWBjD
 VNZFHEF6YRi2Pp8d3mZ3s7WyfkZqSGtb0AHovLlrvVU8wYEc45a_AkQYb2FP
 iXsH_ayxD4meychffezPfraH7o6acCPhlQQ8uzJ2Lq5i9RXfKyHPRXR9vK_2
 zHJfJKLMqJW.q2ruRbtTIRdbg4dcM.xpVmfA6OVeCwAYOCsqxwl_tzyHcDN.
 aCbmMZVkji4efE8ie2Tl_qcKkdXgEjf6DgwWwrZ1rcozSywcvjpQJ2MH9tY6
 b36wUZoCKi70cNYKf0VyYV3HgGrbhraj5VVIWz2pL8YsBYmA6F2RQkT.tMVh
 svLRVLpa7WQUffbFSx56XHEHZ0aZPBjj7IlwZD0VCI0gHXLriSVYd8UCWlGF
 Xa0NxEh6Gfn6ZsCXXCyV8CJGIr07PhzxkSkKNOBxdiHCRr4gGRkfFAcX09E9
 6fH49yQycp0IBLG4bqMEXODX_jV3MtuzwlYFXN2AlO9GPf.BEbRDWsr7pekr
 x6Kb4NOeUzYxYZqXLt6e3OwdNLqm_vL0ouJcE1H4QzlChJCKh.oNWwlPG3Jp
 Df7Sehmw4kr0_GqMD3jltOgSOaWPbyq5loM4_GQ2WBSDcwRdATILDYftFTHd
 _sJST.PQ8MNWhjkhNolqcIoZLCQFmaywlupScahbaX9_u.KKePOTRa7N9GIu
 alOw3zSzgSjMV7M_IheYH1pfYHpenhr5Ix5W8sgh7N7y7vmTFJHa6Idpb74N
 LnN4Lq82dqqblfRxAuj02_9zCdO5bEUEWgWzIyIH39SH6x90WXYNmlq7fDC3
 CcPVCvGE4C1SlEEKTw.Rwan28xhjt5XDGx5nFnH7sv5CSJBM7Am5FcSchaBs
 iBRa1elODLiFqzz2bzfyNWkUE8qMg0jFAOAqeYBQfwH_RqJhF1KYxE8ByWIO
 ZK2UAq7HzC.vUoMTu9WrCMRAhRYNXojDz49jSnYE0JJqCPNLAQlSS5CiRkYq
 NuxfzAkTqp8SulZHnQsc0t8LAON79HLeBFgZ2PRhaC3hhvDZP.aPcA.s
Received: from 54.240.48.39 (EHLO a48-39.smtp-out.amazonses.com)
 by 10.253.233.84 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
 Tue, 15 Jun 2021 13:39:59 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1623764398;
	h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID;
	bh=T038Z0UwMACvG/0gtmtv6+gtfNJaQNFP1pWDpWOlJc8=;
	b=cfbsFJ50qkHtfbJ0PhX6ZVmobnhNebMyR8ddQ70Is9zzAY5KgHFPwUUpBAE8jYgy
	kCkcuDevKqiyXjAOG5O3DKf/Gw1saWX8vaWMLGB53Zm/ai6BuWAixYWvZ/0qeZh/eqd
	PTIqXg1Wm34VRiL/vtcxqR7ImQy8NHPWD9B8lovk=
From: admin <admin@substantiator.com>
To: richardbernstein219@yahoo.com
Message-ID: <0100017a0fe672e1-2da23800-1edd-4c6e-9141-d233317fb630-000000@email.amazonses.com>
Subject: Login
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_18_571959732.1623764397561"
Date: Tue, 15 Jun 2021 13:39:58 +0000
Feedback-ID: 1.us-east-1./ToaGAJxWOVHrr4y6A5cU9krmMVcIKDbUUm+IkkffcM=:AmazonSES
X-SES-Outgoing: 2021.06.15-54.240.48.39
Content-Length: 1908

------=_Part_18_571959732.1623764397561
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

<body>
  <img src="35.153.28.164/assets/themes/default/images/Logo - Research Study Online-01.jpg?w=640" alt="img" />
 
     
  <div>
<a href="http://fusionauth.ngrok.io/oauth2/passwordless/gXw-s8GL7gQpSkWTrdjnsFKExLfAuwIt3dErPkR2IEQ?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=http%3A%2F%2Fsubstantiator-survey.ngrok.io%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein219%40yahoo.com" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here For Survey!
</button>
</a>
</div>

</body>
------=_Part_18_571959732.1623764397561
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<meta charset="UTF-8">
<!doctype html>

<body>
  <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" />
  <p>To log into ResearchStudyOnline please click the link.</p>

    
  <div>
<a href="http://35.153.28.164:9011/oauth2/passwordless/gXw-s8GL7gQpSkWTrdjnsFKExLfAuwIt3dErPkR2IEQ?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=http%3A%2F%2Fsubstantiator-survey.ngrok.io%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein219%40yahoo.com" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here to Login!
</button>
</a>
</div>

</body>
------=_Part_18_571959732.1623764397561--

When they click on the link in the email they get this error from fusionAuth

{
  "error" : "invalid_request",
  "error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing",
  "error_reason" : "invalid_redirect_uri"
}

Is there any better description of the error reporting?
There is one detail I should mention here. The database is on mysql RDS which means that it is located on an AWS server. The user is interacting with the fusionAuth on my laptop. But when the user is being sent to the AWS server (35.153.28,164) to complete the interaction (http://35.153.28.164:9011/oauth2/passwordless) they are interacting with a copy of fusion auth running on the server. I would think (aka assuming) that this is ok since they are using the same dbase, but this is a question for your engineers.

The error is showing http://substantiator-survey.ngrok.io which is the laptop is there any rule that the redirect URL and the FA app need to be on the same server?

OK I found:
retrieveUserInfoFromAccessToken($encodedJWT)

What is the JWT?

This is how I am getting back to a method in my application:

http://35.153.28.164/index.php/Configure/passwordless_entry

Will the JWT come in a $_GET or a $_POST in that method, passwordless_entry?