Posts made by sswami

sswami

@dan @robotdan Looking for your support ASAP.

sswami

@dan @robotdan Please respond to the above.

sswami

Jay Swaminarayan!

While this was functioning perfectly well during previous versions, after upgrading to 1.34.xx the SAML SSO has started getting failed after returning to the service.

I have tried resetting all the settings and even trying to add new application and enabling the SAML exchanging and configuring the settings.
After lot of troubleshooting and decoding the AuthResponse payload, we could find the following issue.

<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
<ns3:StatusMessage>Unable to authentication the user via the nested OAuth workflow. Consult the logs for additional details.</ns3:StatusMessage>
</ns3:Status>

Following is the full response object.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="_76de3fda-0f4c-45f2-b382-79bfa78be431">
<Issuer/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_76de3fda-0f4c-45f2-b382-79bfa78be431">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>MymT6dHHijkye+3R8Ysj6aoMkxdJUhbfCqHqxAp98MY=</DigestValue></Reference></SignedInfo>
<SignatureValue>CSZc9rLHOOyn50PMHkERzdReV+aW4pS4qCjAsET/0DIcPt6ptAaLNiRPl2/v56uxJ1Dx4a+RCGSUf3A5mrQCIFsLhNXgmDHkET8pzUwiAIxm7JsM76z7Tk0/AcUok93XlkjjnEFxuRe/QwsxXQhG2NYalRM8IWyqkfz27NVaM5lK/TSpzW6ub/C9EAxXVx925rf3Op8ILKUJLrenp8pYscGuKHH29qhA0V2+riP+ShZqb5iHruqZZjNA7qUGRAIbZeu7MuFNh5Es2wMK3wemUOwpGY+5i6u85Yffl854+68lk5u9JhsJ18sdhzMK9nwsJ48dPhiH8w53jDmxX9+8BA==</SignatureValue><KeyInfo><X509Data>
<X509Certificate>MIICxTCCAa2gAwIBAQIRALtIbH2EDUSVqXSCIdaei+IwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAxMTaHR0cHM6Ly9ndXJ1a3VsLm9yZzAeFw0yMjA0MjUwMzQzMTFaFw0zMjA0MjUwMzQzMTFaMB4xHDAaBgNVBAMTE2h0dHBzOi8vZ3VydWt1bC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFhi/uU8xbFpN00//RZbBj6BalrMcSpLIFhQ4zdj5DJx1e1jDlAKVAFDnaImvgkEGTipxETcN3wDp0umBhf+P2GRfKq5ZRcbiYgR4LnZl8TRKQrJa3hL2wCpYAlhHW4oc4zeNSoCzQra9URTPFXVF1Md319eLyZz8Ao+x08hqgHdS7bluBxlCHaqrR/eQtPmuRofhGKPTvTOaMyAf1+AIU2P6V3YV11WdRisytbmPNdACnrY0h9Uh+iR+S9owsXSrRQiY4tFV8qt8Oeo4St+gMSbYTKm8M3RNJgR2OxfHasDrknT6Wgjgtu03nxL7K19K6MT0P73Oi+roaFxl64mDnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAERqZhMk9VAcPMYMDjHv/YrCAVgWntmKU3KIDxLhzpvW1uWo45Ni1G1cXiQTAi39uTdP7w2LmoKO6HbbLmWnQIOx06XxqdE4sllQRe7Za62wY4zI0XSuAPMWCHlGoKmXoKb2xz6QCmOHxQM46itfxF0amfZiZnx6bDUwEI9Iu8pTeAGejpoyCMmiV2zeP1yWoeoM/B2lPEZU+HD18Z87QY8hxCLP3rU1tD5Lm2vw+fpN6dWPD0q/rN6TgwiQtJieIRCeBYOu1OZrzfrIGurf1vTLZ4JuLHSE+zGfdxNPRFtA7BaQdlz1g83Nb2BUNRbkYXAQOVaaodcsb/Pu9t4Bx5w=</X509Certificate></X509Data></KeyInfo></Signature>
<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
<ns3:StatusMessage>Unable to authentication the user via the nested OAuth workflow. Consult the logs for additional details.</ns3:StatusMessage>
</ns3:Status>
</ns3:Response>

I suppose this must be some very simple configuration issue, however, kindly help me get some info on the above, so that this can be Resolved.

Thanking you,

sswami

Jay Swaminarayan!

Hello @dan @robotdan,

Many portals have started implementing Google's one-tap signing feature. When can we have that feature? or Is this in our roadmap?

https://developers.google.com/identity/gsi/web/guides/overview#consent_and_sign-in_with_one_tap

the above is the link for reference.

sswami

@robotdan Jay Swaminarayan!
Thanx, however the issue was resolved yesterday, with the Required Lambda after trying multiple options.
Here are the steps from scratch to follow for FusionAuth Configuration to work with ZOOM SSO

The Steps to resolve this issue with FusionAuth & Zoom SSO
Tested with FusionAuth Version: 1.19+

Before FusionAuth, we would need Few settings from Zoom SSO

Login to Zoom Account > My Account > Advanced > Single Sign-On > Enable
Copy: Service Provider (SP) Entity ID setting, it should be either <vanity>.zoom.us or https://<vanity>.zoom.us/
You will need this for configuring Fusion Auth, (Yes, Zoom will not allow to save SAML until all the fields are filled, don't worry, we will come there later. keep zoom settings page open)

Now, lets create & configure FusionAuth App for zoom sso

Login to FusionAuth with Admin Access
Goto > Application > Create New Application As usual with Default Configuration.

Note: Before Configuring SAML Settings in FusionAuth, we need to create

SHA-256 Certificate with Proper Issuer required by Zoom
An appropriate Lambda Function to match the Response expected by Zoom
Follow these steps for both of this

CREATE SHA-256 CERTIFICATE FOR ZOOM

Go To > Settings > Key Master
"Generate RSA" From Top Right Drop Button

Name: Any Name, its for Identification, e.g. ZoomSAMLCertificateKey
Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Algorithm: RSA using SHA-256
Key lenght: 2048

Submit
==============================

CREATE SAML Populate Lambda as Required by Zoom

Go To > Customizations >Lambda > Add
Create New Lambda from top right [+] button

Name: Any Name for Identification: e.g. "SAML v2 Populate Lambda for Zoom App"
Type: SAML v2 Populate
Debug Enabled: as required

Body:

        function populate(samlResponse, user, registration) {
                    samlResponse.assertion.subject.subjectConfirmation.notBefore = null;
                    samlResponse.assertion.conditions.notBefore = null;
        }

Save
==============================

Now, we are ready to configure SAML settings in our App

Go To > Applications > Newly Created App > Enable SAML
Configure SAML Settings as following

Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Audience: leave it blank (default)
Callback URL (ACS): https://<vanity>.zoom.us/saml/SSO
Logout URL: https://<vanity>.zoom.us/ (or where ever to redirect after logout)
Signing key: Select the Key Generated in previous step e.g. "ZoomSAMLCertificateKey"
XML signature canonicalization method: Exclusive
Response populate lambda: Recently Created Lambda e.g. "SAML v2 Populate Lambda for Zoom App"
Debug Enabled: as required

Done, with FusionAuth, its ready for Zoom SSO

Now come to Zoom Page and Copy required settings from FusionAuth

You will have most details from the FusionAuth Application
Go to > Applications List > Click on our newly created Zoom App
Scroll to "SAML v2 Integration details" section

Get Zoom's SAML Settings from FusionAuth

Zoom's Sign-in Page URL:     <---     FA's Login URL
Zoom's Sign-out Page URL:     <---     FA's Logout URL
Zoom's Service Provider (SP) Entity ID == Select whatever you choose earlier as Issuer during Certificate Creation
Zoom's Issuer (IDP Entity ID):     <---     FA's Entity Id

Zoom's Identity Provider Certificate:     <---     
GoTo > FusionAuth's Settings > Key-Master > Click 🔍 on our Key generated for Zoom App
the value in "Base64 encoded" is to be used for Zoom's Identity Provider Certificate	

Zoom's Binding: HTTP-Redirect
Zoom's Signature Hash Algorithm: SHA-256
Zoom's Security: 
      Sign SAML request -- Unchecked
      Sign SAML Logout request -- Unchecked
      Support encrypted assertions -- Unchecked
      Enforce automatic logout after user has been logged in for -- Unchecked
      Save SAML response logs on user sign-in -- As Required
Zoom's Provision User: At Sign-in (Default) or As Required

[Save Changes] in Zoom
It's DONE! It should work as intended.
Note: there can be errors still, but mostly will not be related to SAML.

sswami

@robotdan You may also please look into this and tell me!

Zoom Error Message Says:
The signature is not trusted or invalid, please check the certificate.

Also, I could figure out to remove the tags and NotBefore attribute using lambda but still, the problem persists.

Zoom engineering team tried is also ready and trying its best to support FusionAuth. They said me if we figure this out it will be a support FusionAuth officially.

My ticket is still on.

Kindly help

sswami

Jay Swaminarayan!

Hello @dan

It has been 2 weeks now that I am working with Zoom Premium support in connection with using FA as SAMLv2 IdP.

Everything seems to be configured properly but still, it fails.

Zoom as we know is a very widely used products and they (their engineering support) say they work with all popular IdPs, but they don't find this issue.

After a lot of working out, they said, it is probably failing due to "NotBefore" attribute in the Assertion>Conditions tag.

They say, this shouldn't be there. Now, I am not sure whats the issue.
Kindly help us.

sswami

@robotdan Thank you very much for your reply... Well, this is 1 time but although Please let me know where to purchase for the support and a direct link to the suited package shall be appreciated.

Moreover,

Why is just rendering the SSO page taking so long?, Password hashing is far story...
We have completely reduced crypto to Factor=2 with SHA-256 but still, an 8core CPU is reaching 100% for about 25-30 TPUs
We are trying the "creating nodes" way.
Also locally trying to profile FusionAuth Process Stack.
Also, please favour us by telling on a High level / Approximation if there is nothing running on the VM and it's only to load FusionAuth SSO, what should be the best Performance expected. I agree, there must be some configs, threads, workers into the equation. But If you were to optimize all those, what would you achieve on an approximation. This will help us understand if its the Limitation by the server resources (CPU/RAM/NODES) or its simply some misconfiguration somewhere.

sswami

Oh! Yes, we have tried that much earlier, sorry didn't tell you... we are out of Memory Heap... Right now its taking 100% CPU.

sswami

Java Process consumes 100% CPU when more than around 1000 users tries to login in at a time
Its

ONLY a max of 20 clients per second and 1000 users over a min with an average response time of 10secs!

We have checked all possible things what we could hunt over the internet. But with our limited knowledge, we are unable to solve this.

sswami

Hello @dan !

Any update on the Load test? Can you suggest what should be our server config & resources to handle 7000+ login requests at a time? We are still facing this issue? The fusionauth-app (https://login.gurukul.org/oauth2/authorize) Java Process consumes 100% CPU when more than around 1000 users tries to login in at a time.

Also, as we never had and are not having much regular concerns, we have not opted for support package. This issue if solved will the max we would need support actually.

Thank you...

sswami

@dan Surely... I shall try and revert.

However, Can I know one thing? What performance should we be expecting with this VM, like can you just give me approx. range? Or what best have you achieved as test load, how does that translate to our machine?

sswami

Thank you for your response, We could tryout something but its not improving performance

Somethings you Asked

Fusionauth version 1.17.0
Actions:
- We are just using FA for Login & token exchange tasks,
- However the during load test we only used SSO.
- SSO: Only loading login page, Get request oauth2/authorize?client_id=
  {}&response_type=code&redirect_uri=%2Flogin&state={}
- We combined API: /oauth2/login for 1 load test, (later I have mentioned when).
Database is running under the same machine.
Yes we are using elastic search.
We observed
- The process usage of Mysql it was using average 5% of CPU
- Disk IOPS was around 70 (plenty of room was available for more IOs),
- apache was also stable around 2-3% of CPU usage. During that time it was quickly serving other requests.
- There were no errors in apache.

We found error in fusionauth

java.lang.OutOfMemoryError: Java heap space
at java.base/java.lang.reflect.Method.copy(Method.java:158)
at java.base/java.lang.reflect.ReflectAccess.copyMethod(ReflectAccess.java:102)
at java.base/jdk.internal.reflect.ReflectionFactory.copyMethod(ReflectionFactory.java:308)
at java.base/java.lang.Class.getDeclaredMethod(Class.java:2555)
at com.google.inject.internal.cglib.proxy.$Enhancer.getCallbacksSetter(Enhancer.java:809)
at com.google.inject.internal.cglib.proxy.$Enhancer.setCallbacksHelper(Enhancer.java:797)
at com.google.inject.internal.cglib.proxy.$Enhancer.setThreadCallbacks(Enhancer.java:791)
at com.google.inject.internal.cglib.proxy.$Enhancer.registerCallbacks(Enhancer.java:760)
at com.google.inject.internal.ProxyFactory$ProxyConstructor.newInstance(ProxyFactory.java:269)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65)

Thus we increased the memory footprint to 2GiB at fusionauth config file (fusionauth-app.memory property).
- We ran the test again.
- It was able to serve 3000 requests in a minute.
- Test report https://bit.ly/3icn8rW.
- But the CPU usage was more than 50% for fusionauth java process & Like 7-11% for FA Elastic Search.

Loadtest?

Simply loading a GET SSO request with a login page was consuming half of the CPUs i.e. 4 cores without even login.
With Login API combine, 1500 login across 1 min what we are able to serve with >50% cpu usage. https://bit.ly/35jESOp
Going beyond that response time was increasing. https://bit.ly/3m8Nhum
During the test we also reduced the PBKDF2 factor to 4000 from 20000. So that crypto is out of equation for bottleneck. We also tried with SHA256 with only 2 factor, confirming the crypto processing. The results were the same.
And there are peak times where we expect such load. During all the above tests db and apache were stable.

Is this the performance we can expect from fusionauth with our CPU and memory config? Turning around 40TPS at max? Certainly there is something we are missing here. Please guide us.

Hoping...

sswami

Jay Swaminarayan!
Dear @dan , It's always great to have you as a silver lining.

Slightly long story as I am narrating over a week's working on performance. We are from Shree Swaminarayan Gurukul Organization (https://gurukul.org) a non-profit school-chain in India, moving almost whole schooling online during this pendamic situation. However, the following is our usecase & looking forward to know what are we missing in optimizing the performance.

Server Config

Azure VM: Ubuntu Linux 18.04.4
Linux 5.4.0-1023-azure on x86_64
CPU: Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz, 8 cores
Memory: 31.36 GiB total
Storage: 156.92 GiB total (SSD)
Running 1 Wordpress site, multiple angular sites, .netcore small services
FA installed on :9011 and reverse proxied from Apache2 Host

Use Case & Timeline:

Intent: Scheduled online tests from 7th Sep (today) to 14th Sep, planned a month back as students are not coming to school due to CORONA.
Users: Serve logins to 4000 - 5000 students for an external app (android app, backend not on the same server) and 7000 is the max users we have for this case
Launch: 1st Sep - App Integration finishes to handle login flow with CODE Grant & Offline Access, using AppAuth-Android
Onboarding Students on App: 1st & 2nd Sep - Distribution of Credentials and Tutorials for Students
Trail#1: 3rd Sep - Planned Trail Test #1 for Testing Load
Optimization#1: Resized Server from 2 Cores + 16gb to 4 Cores + 16gb
Trail#2: 5th Sep - Planned Trail Test #2 for Testing Load
Optimization#2: Optimized mpm_event apache2
Real Exam: 7th Sep - Real Exam Day, still halted.
Optimization#3: 7th Sep noon - Resized Server from 4 Cores + 16gb to 8 Cores + 32gb
Optimization#4: 7th Sep mid day - PBKDF2 (f=24000) to SHA-256 (f=2)
Seeking Support: Writing this topic for help.

Happenings:

During Launch itself, the server was overloaded with requests, and FA-SSO was not served to almost all users
We were almost not sure what went wrong and just rebooted the VM, simultaneously students waiting even up to 30 mins for the server to load dropped the hope for the day
Thus, we initially thought there must have been some blocking process and REBOOT would do each time there is a load.
On 3rd Sep trial #1, once again there was a flood, this day we already rebooted the machine before the test time.
However, this did not solve the problem and we resized VM, Optimization #1
We were anticipating, we are well to go for 5th Sep, but same issues, the request flooded, it is then we actually started researching on the matrices and with some local help found mpm_event is the culprit and had insufficient server limits set. After which we were almost confident about the load and declared that the issue is resolved completely to all school principals & students.
We were happy that this Trail-strategy actually benefited us to avoid any issues on the real day, i.e. today. Also, we checked out https://fusionauth.io/blog/2019/02/26/got-users-100-million and were assured about Good to Go on 7th, today.
Today, to our surprise yet again we faced the same issues, and students were not served FA-SSO. As this was happening, we firstly resized the VM again (Optimization #2), Parellaly we started digging deep into issues, FA was not actually in the our hit-list.
Still had the same issue. We observed load on Java & learned hashing could be a bottleneck thus changed PBKDF2 (f=24000) could be bottleneck and changed it to SHA-256 (f=2) with rehashing on login.
And also we quickly decided to divide users into different time slots to manage the load, and somehow finished the day, with many students failed to attempt, we will see that later.
Taking things really seriously, we started checking each process and to our surprise we found FA (JAVA) loading the VM even for small users, at least far smaller than 10M that too, time slotted.

Server Footprints:
1.
Screenshot (99).png

Here is the load test we tried later after applying all optimizations that we could think of Server Upgrade CPU + RAM, least cryptography SHA-256 (factor = 2), this is the footprint for 2000 clients load distributed across 1 min, you can see server HALTS after 15 secs.
https://bit.ly/33aarYk

Here is the load test of login API load for 3500 clients load distributed across 1 min, taking whooping 14 secs to serve.
https://bit.ly/2GwRbN2

End of the Story,
NEED HELP!

PS: For tomorrow we have divided the students in slots even till the evening. However, day after tomorrow we intend to take the test at a time.

Thanking you and hoping for the best.

sswami

Hello Dan!

Aah! that should work, with still having the /signin-back button to take me to the app.

Thanx

sswami

@dan: "...call each of your configured logout URLs per application."

Do we have many logout URLs?

As you suggested, /api/logout removes cookies, what should I do to remove the SSO Session from the Native App itself?

Basically, from the Android App, when we call /api/logout & remove any locally saved state info, and then redirect to the Login page, as the FusionAuth session is still active, it just redirects back to the Consent screen and therefore back to the Application. Literally making the user not able to switch the accounts, until the fusionauth session is terminated.

If /api/logout doesn't end the fusionauth session, I am left with only 1 option (with as much I've understood)

Logout Action in the app.
Redirects to FusionAuth SSO Page
Redirects back to the Custom Consent Screen (as FA session is active)
I add a "LOGOUT COMPLETELY" button redirecting to /oauth2/logout page with post_logout_uri to /signin-back page (containing a single button "Sign In Again")
FA Logout Progress
Redirects to /signin-back
Signin Back Button action to APP
Finally APP opens, checks AuthState to be false
Authroize() redirects to /oauth2/login

But I sincerely feel, this is too much, am I mistaken somewhere? There must be some best practices, which I want to know.

Thank you

sswami

Jay Swaminarayan! @dan

Something that I have learnt a hard way, after a week long troubleshooting was surprising silly, at least for you or other experienced members of fusionauth community.

However, little I knew the security concerns of the browser, It turns out that,

A javascript cannot directly redirect to any com.android.app:/redirect_uri.
There must be a User Manual Interactivity for the Redirect to complete, A Button Click or Ancher Link Click
That was the Reason Chrome Cancelled the redirect from FusionAuth Screen

What I could find,

One of the reasons, that there are consent screens,

Basically Allow Button, redirect back to the app.

My conclusion:

It would be Great if this Consent Screen Mechanism is available for Native Redirects after 1st Authorization within FusionAuth.
Time-being I have made a Consent Screen of my own, which is the redirect_uri and than in turn that redirects back to the APP.

I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

Thank you once again.

PS: There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?

sswami

Even this:

Well, can you kindly tell me what should be a redirect_uri for android app and the respective intent-filter for AndroidManifest? I want to be sure, that is not causing all this.

Currently, I am using

AndroidManifest.xml

<activity android:name="net.openid.appauth.RedirectUriReceiverActivity" tools:node="replace">
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="org.gurukul.edu"/>
            </intent-filter>
</activity>

and redirect_uri = org.gurukul.edu:/oauth2redirect

Please do help for this, I may seem silly here, but am into a hard troubleshooting all these days & nights.

sswami

Jay Swaminarayan! @dan

The only thing I could find was this

Navigation is blocked: org.gurukul.edu:/oauth2redirect?code=Bw0GtMPtlLE2C28raehtI32J8D88u_qJXr8Rk_u8QB0&locale=en_US&state=iGZVrj-TWZ2ImOgNm5Vp6w&userState=Authenticated

Navigation is Blocked.png

While I saw the logs, but doesn't seem to describe anything regarding this.

Google IdP Response Debug Log

8/19/2020 04:32:10 PM IST Call the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint.
8/19/2020 04:32:11 PM IST Endpoint returned status code [200]
8/19/2020 04:32:11 PM IST Endpoint response:
{
  "iss" : "accounts.google.com",
  "azp" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
  "aud" : "711963816597-kkc0k63qtq8pbavj53no1sjccuj2k6nb.apps.googleusercontent.com",
  "sub" : "108223291158399663939",
  "hd" : "gurukul.org",
  "email" : "9845195000@gurukul.org",
  "email_verified" : "true",
  "at_hash" : "DczmNxXerelpioPZYvGKUA",
  "name" : "PRO Bangalore",
  "picture" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
  "given_name" : "PRO",
  "family_name" : "Bangalore",
  "locale" : "en",
  "iat" : "1597834930",
  "exp" : "1597838530",
  "jti" : "da94e36cb732b3222dfca247b437a57cd4c6403b",
  "alg" : "RS256",
  "kid" : "6bc63e9f18d561b34f5668f88ae27d48876d8073",
  "typ" : "JWT"
}
8/19/2020 04:32:11 PM IST The user with the email address [9845195000@gurukul.org] already exists.
8/19/2020 04:32:11 PM IST Invoke configured lambda with Id [66353336-3034-6465-3563-323730343666]
8/19/2020 04:32:11 PM IST Updating user: 
{
  "breachedPasswordLastCheckedInstant" : null,
  "breachedPasswordStatus" : null,
  "encryptionScheme" : null,
  "factor" : null,
  "id" : "383a31a6-104c-4ea3-ad08-6fd035e609fd",
  "password" : null,
  "passwordChangeReason" : null,
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1597669720748,
  "salt" : null,
  "verified" : true,
  "preferredLanguages" : [ ],
  "memberships" : [ ],
  "registrations" : [ ],
  "active" : true,
  "birthDate" : null,
  "cleanSpeakId" : null,
  "data" : { },
  "email" : "9845195000@gurukul.org",
  "expiry" : null,
  "firstName" : "PRO",
  "fullName" : "PRO Bangalore",
  "imageUrl" : "https://lh3.googleusercontent.com/-Laz1akUFXm4/AAAAAAAAAAI/AAAAAAAAAAA/AMZuuclWarqwOmyfvlH9Q63dejOSvCpDXw/s96-c/photo.jpg",
  "insertInstant" : 1597669720711,
  "lastLoginInstant" : 1597834822651,
  "lastName" : "Bangalore",
  "middleName" : null,
  "mobilePhone" : null,
  "parentEmail" : null,
  "tenantId" : "64326262-6536-3663-3737-373861366366",
  "timezone" : null,
  "twoFactorDelivery" : "None",
  "twoFactorEnabled" : false,
  "twoFactorSecret" : null,
  "username" : null,
  "usernameStatus" : "ACTIVE"
}
8/19/2020 04:32:11 PM IST User is already registered for application with Id [30d6e7be-407d-4b63-8b98-33a2ae8e2b56].
8/19/2020 04:32:11 PM IST User has successfully been reconciled and logged into FusionAuth.
8/19/2020 04:32:11 PM IST Authentication type: GOOGLE
8/19/2020 04:32:11 PM IST Authentication state: Authenticated