@ahcfrontdoor I set up an application with the setting you are talking about and was allowed to register and proceed without any re-direction. Can you share a screen shot of your application registration tab. Please be sure to black out any sensitive information if necessary.

@dan Great catch, no sure how I confused mfa and captcha. Thank you!

Hey @dan - thank you for your thorough reply! And sorry for the delay,

I think I've got the refresh token and the correct scopes. What I don't have currently is a backend - I only have a client-side application and my self hosted FusionAuth, currently. It seems like if I need to access the FusionAuth backend in order to pull the user's Discord token from the link, there will be no way to do this securely without a separate backend. Does that sound right?

While I understand this topic has been previously discussed, I believe it's still relevant due to the similarity in my use case.

I'm currently integrating Discord login into my application using the OpenID Connect identity provider. My goal is to implement a custom user experience that doesn't rely on FusionAuth's hosted login pages.

As mentioned in previous discussions, the current documentation doesn't provide a way to pass the PKCE code_verifier when requesting the "Complete an OpenID Connect Login" endpoint.

I'd like to propose two improvements:

Allow passing code, code_verifier (optional), and redirect_uri in the request payload. This would provide a more flexible and allow the usage of PKCE;

Allow passing an access token directly. This would eliminate the need for FusionAuth process the exchange step, similar to how Facebook's identity provider works (for example). This would probably also require the configuration of an endpoint to fetch the user email or username.

As a side note, since discord access_token is not a JWT I believe this cannot be done using the "External JWT" identity provider.

Hope you can help me with this.
Thanks!

@morten Check out this thread and please let me know if it works for you. https://fusionauth.io/community/forum/topic/2743/can-i-configure-a-tenant-application-as-an-external-identity-provider-for-other-tenants/8

Thank you for sharing.

The easiest thing to do is to store the value on the user.data object in the reconcile lambda, and then pull it off in the JWT populate lambda.

The JWT populate lambda will only be called if the authorization code grant is completed and an access token is generated, but you should be doing that in your application.

So what it looks like is:

user visits your application user clicks 'login' user clicks 'login with OIDC' user authenticates user returned to FusionAuth reconcile lambda runs, setting values on user.data user object is created JWT populate lambda runs, pulling values from user.data and calling FusionAuth APIs to add user to a group or grant them permissions on an entity user object is updated, user exists in FusionAuth

For future readers, there's an open GH issue here to better support iframes: https://github.com/FusionAuth/fusionauth-issues/issues/2830

Please add your use cases, upvotes and comments there.

@Alex-Patterson That did the trick! Enabled silent mode in the fusionauth.properties file and no more errors.

@sandiprghane based on that info, I think the above method will work for you and as I mentioned, maybe check out custom scopes for third party applications if you have a license that supports it.

@rrock Does this have to be during the registration process? I found this under progressive registration in the docs. It suggests you "collect minimal user profile data to get users into your application with as little friction as possible. Then, you’d use the User APIs or User Registration APIs along with custom screens in your application to collect additional information."

Yes. You can do this with the API:

curl -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn\?userId=00000000-0000-0000-0000-000000000001 > out

Then remove the following:

id insertInstant lastUsedInstant tenantId

update the userId

And use the import call:

curl -H 'X-FusionAuth-TenantId: newtenantid' -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn/import -H 'Content-type:application/json' -d '{...}'

Right now you cannot turn off CAPTCHA for certain applications to handle this use case.

There's an open GH issue to address this. Please upvote or share your use case on there if you have thoughts.

As of writing, there is no direct support for push notifications as an MFA method in FusionAuth. If you would like such support, please open a feature request with more details about your use case.

However, you should be able to build something that sends a code via a push notification. Here's how to do that. (This requires a Starter, Essentials or Enterprise plan.)

This illustrates how to do this using the hosted login pages; if you use the APIs, it's a slightly different workflow, as outlined in the MFA guide.

configure FusionAuth to require a phone number when the user registers set up your android or ios device to send back the device id when the app is installed tie the device id to the user's phone number in your backend system set up a generic messenger. The messenger will send a phone number and a message when an MFA challenge occurs. look up the device id from the phone number in your system use the appropriate service to send a push notification with the code have the user enter the code in the MFA challenge screen

The Terraform provider is no longer community supported and has some documentation. More here: https://fusionauth.io/docs/operate/deploy/configuration-management and here: https://fusionauth.io/docs/operate/deploy/terraform

@mark-robustelli thanks for clarifying!

"I’m grateful for your support. Thanks a lot!"

This also works with an OIDC provider and from tenant to tenant in the same FusionAuth instance. Assume you have an app (app1) in your existing tenant and you want to allow users in a different tenant to log in to app1. You can do this with an identity provider.

To do so:

create a new tenant in your FusionAuth instance create an application in the new tenant (app2) add an authorized redirect URL of https://yourinstance.fusionauth.io/oauth2/callback make sure the authorization code grant is checked. create a user in the new tenant use same email address but a different password register the user for app2 create an OIDC identity provider the name should be app2 IDP update the button text to say 'log in with app2 in a different tenant' the client identifier and secret should be the app2 client id and secret the scope should be openid profile email the authorization URL should be https://sandbox.fusionauth.io/oauth2/authorize the token URL should be https://yourinstance.fusionauth.io/oauth2/token the userinfo URL should be https://yourinstance.fusionauth.io/oauth2/userinfo enable the OIDC identity provider for app1 and make sure to create a registration for that application when a successful authentication is done.

When you visit the app1 login screen, you should now see a button prompting you to log in with app2.

This allows you to do cross tenant enterprise sign on within the same FusionAuth instance.