See also https://fusionauth.io/community/forum/topic/2749/can-you-turn-off-captcha-for-certain-applications-in-a-tenant which has some workarounds.
Posts made by dan
-
RE: Is there a way to enable or disable captcha at application level?posted in General Discussion
@mark-robustelli I don't believe you can do this. I think @muditshukla3 was asking about CAPTCHA, not MFA.
-
RE: Making API calls against a user who is federating into FusionAuthposted in Q&A
The easiest thing to do is to store the value on the user.data object in the reconcile lambda, and then pull it off in the JWT populate lambda.
The JWT populate lambda will only be called if the authorization code grant is completed and an access token is generated, but you should be doing that in your application.
So what it looks like is:
- user visits your application
- user clicks 'login'
- user clicks 'login with OIDC'
- user authenticates
- user returned to FusionAuth
- reconcile lambda runs, setting values on user.data
- user object is created
- JWT populate lambda runs, pulling values from user.data and calling FusionAuth APIs to add user to a group or grant them permissions on an entity
- user object is updated, user exists in FusionAuth
-
Making API calls against a user who is federating into FusionAuthposted in Q&A
Suppose I have users who are going to federate into FusionAuth via another OIDC or SAML server. They are going to be created on demand. After they are created, I want to use Lambda HTTP Connect to call into FusionAuth to add them to a group, register them for an application or otherwise manipulate their account based on attributes from the remote identity store.
I tried to do that in the OIDC reconcile lambda, but the user isn't created yet, so I can't, for example, add them to a group or grant them permissions on an entity.
What is the best way to solve this?
-
RE: Using Fusion auth inside iframeposted in Q&A
For future readers, there's an open GH issue here to better support iframes: https://github.com/FusionAuth/fusionauth-issues/issues/2830
Please add your use cases, upvotes and comments there.
-
RE: Can you migrate passkey information between tenants?posted in Q&A
Yes. You can do this with the API:
curl -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn\?userId=00000000-0000-0000-0000-000000000001 > outThen remove the following:
- id
- insertInstant
- lastUsedInstant
- tenantId
update the userId
And use the import call:
curl -H 'X-FusionAuth-TenantId: newtenantid' -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn/import -H 'Content-type:application/json' -d '{...}' -
Can you migrate passkey information between tenants?posted in Q&A
I want to let a user log in to one tenant using passkeys.
Then, later, I want to move them to another tenant.
Can I migrate their passkey information as well?
-
RE: Can you turn off CAPTCHA for certain applications in a tenantposted in Q&A
Right now you cannot turn off CAPTCHA for certain applications to handle this use case.
There's an open GH issue to address this. Please upvote or share your use case on there if you have thoughts.
-
Can you turn off CAPTCHA for certain applications in a tenantposted in Q&A
I want to turn off CAPTCHA for a given mobile application to make sure the app review process doesn't get impacted, but I want to retain CAPTCHA for the other applications in that tenant.
-
RE: Can you use push notifications as a form of MFA with FusionAuth?posted in Q&A
As of writing, there is no direct support for push notifications as an MFA method in FusionAuth. If you would like such support, please open a feature request with more details about your use case.
However, you should be able to build something that sends a code via a push notification. Here's how to do that. (This requires a Starter, Essentials or Enterprise plan.)
This illustrates how to do this using the hosted login pages; if you use the APIs, it's a slightly different workflow, as outlined in the MFA guide.
- configure FusionAuth to require a phone number when the user registers
- set up your android or ios device to send back the device id when the app is installed
- tie the device id to the user's phone number in your backend system
- set up a generic messenger. The messenger will send a phone number and a message when an MFA challenge occurs.
- look up the device id from the phone number in your system
- use the appropriate service to send a push notification with the code
- have the user enter the code in the MFA challenge screen
-
Can you use push notifications as a form of MFA with FusionAuth?posted in Q&A
I have a mobile app and want to use push notifications for my MFA. Is that possible/supported with FusionAuth?
-
RE: Best way to share Fusionauth configuration and changes?posted in Q&A
The Terraform provider is no longer community supported and has some documentation. More here: https://fusionauth.io/docs/operate/deploy/configuration-management and here: https://fusionauth.io/docs/operate/deploy/terraform
-
RE: Can FusionAuth federate to itself?posted in Q&A
This also works with an OIDC provider and from tenant to tenant in the same FusionAuth instance. Assume you have an app (app1) in your existing tenant and you want to allow users in a different tenant to log in to app1. You can do this with an identity provider.
To do so:
- create a new tenant in your FusionAuth instance
- create an application in the new tenant (app2)
- add an authorized redirect URL of
https://yourinstance.fusionauth.io/oauth2/callback - make sure the authorization code grant is checked.
- add an authorized redirect URL of
- create a user in the new tenant
- use same email address but a different password
- register the user for app2
- create an OIDC identity provider
- the name should be app2 IDP
- update the button text to say 'log in with app2 in a different tenant'
- the client identifier and secret should be the app2 client id and secret
- the scope should be
openid profile email - the authorization URL should be
https://sandbox.fusionauth.io/oauth2/authorize - the token URL should be
https://yourinstance.fusionauth.io/oauth2/token - the userinfo URL should be
https://yourinstance.fusionauth.io/oauth2/userinfo - enable the OIDC identity provider for app1 and make sure to create a registration for that application when a successful authentication is done.
When you visit the app1 login screen, you should now see a button prompting you to log in with app2.
This allows you to do cross tenant enterprise sign on within the same FusionAuth instance.
-
RE: Accessing Discord API after authenticating with Discord OIDCposted in Q&A
@joelhoward0 Hiya, welcome to FusionAuth!
I posted a bit about this here, but the long an short of it is that there are a few things you need to do to get access to a token allowing you to make calls against discord.
First, some steps when you are configuring the OIDC Identity Provider:
- Make sure you request the refresh token in your initial request. From their docs, they imply you always get it, so maybe there's no additional config here.
- Ask for any other scopes you need:
guilds,botetc. Those are listed at the docs I mentioned above.
Next, when you successfully authenticate with Discord, to get an access token, you need to do the following each time you want to make a call to Discord:
- In backend code, with an API key which has proper permissions, request the identity link for the user and the discord identity provider.
- Look in the token field. This contains that refresh token.
- Take the refresh token and present it to discord in a refresh grant
- Your code will get back an access token valid for a certain length of time.
- Present that access token to the discord APIs using Bearer authentication.
Hope that helps!
-
is anyone using our Docker images for arch linux/arm/v7 (32 bit ARM), linux/ppc64le (IBM Power platform), or linux/s390x (IBM z platform)posted in Q&A
This is a question from our FusionAuth slack. Source: https://fusionauth.slack.com/archives/CG00HG935/p1722965001019699
Please comment on this post if you use the docker images for
- arch linux/arm/v7 (32 bit ARM)
- linux/ppc64le (IBM Power platform)
- linux/s390x (IBM z platform)
We are considering a move to GraalVM (Java VM) which doesn’t publish their VM binary for those builds. So ideally we’d drop these images assuming nobody is using them.
So if you are depending on these images, please let us know.
Plus, if you are using them, I want to interview you to learn more :).
-
RE: Can I see a list of trusted devices that a user has completed MFA on?posted in Q&A
As of 1.51.2, there is no way to do this. We keep track of the trusted devices and you can, with certain parameters, retrieve them using this API but there is no detail about a device that It doesn’t have any details that would allow you to revoke trust for a specific device.
If this is of interest to you, future reader, please open a github feature request with details about your use case.
-
Can I see a list of trusted devices that a user has completed MFA on?posted in Q&A
When a user completes an MFA challenge, the device is tagged and 'trusted'. See this issue for more detail.
Is there any way to present to the end user a list of trusted devices so they can see what devices MFA has been completed on? This would be helpful for higher security needs (like financial apps).
-
RE: What FusionAuth roles can remove an MFA method?posted in Q&A
See also this open GH issue addressing this: https://github.com/FusionAuth/fusionauth-issues/issues/2821
-
RE: What FusionAuth roles can remove an MFA method?posted in Q&A
Currently, the only users that can remove MFA methods are Global Admins to the FA Admin UI.
This is due to the security implications around letting any other role have this permission.
If you need to offer this functionality to your customers and product, then you could build an integration that called the User API and remove MFA from a users’s account.
-
What FusionAuth roles can remove an MFA method?posted in Q&A
What FusionAuth roles can remove an MFA method using the admin UI?