Hi everyone,
I am quite new to fusionauth, and so far I am liking it very much. I am currently working on integrating a JupyterHub server that will use an LTI identifier.
Has anyone had some experience integrating LTI tools or platforms using fusionauth? As I said, I'm quite new, and it would be great to get some small guidelines to get started. Everything I read online on different forums is not working, or lead to multiple errors.
Thanks in advance!
I'm using the Kickstart approach to setup FusionAuth for local development and I'd like to create identity providers with well-known IDs so I can reference them in my application.
I was hoping to specify a UUID at the end of the URL like you can for other API resources:
POST /api/identity-provider/11111111-1111-1111-1111-111111111111
but it seems this UUID is ignored and a random one is generated instead.
For context, I need to reference these IDs in my application so I can use them with the idp_hint parameter to let users log in directly to an identity provider.
Is there another way to do this via Kickstart?
Hi,
I am configuring my Tenant with a refresh token expiration policy of "sliding window with maximum lifetime". I have configured the maximum lifetime to 240 minutes, but the refresh token is actually expiring after 30 minutes.
What could be happening?
Thanks,
Ernesto
Hello there!
I am currently working on a personal project, using a .NET back with API endpoints, and Angular as a frontend.
I have been checking all the tutorials, wandered the forum and the internet, but I could not find any trace of a tutorial for a full stack application.
Does anybody know what can be done for that? My project is quite simple from an architecture point of view. The user authenticates to have access to the website. Then, whether they are a normal user or any other type of user with permissions, they will have access to specific parts of the website or have specific permissions.
Am I not understanding something that makes me unable to implement authentication for my whole project? Or is it easier than I think, and I just have to implement in my front and make the call to my back?
I used Auth0 in another personal project, and the tutorial was thorough regarding the complete stack. What is the difference here? I wanted to use FusionAuth for its customization and because it is entirely free.
Thanks!
Do you have any example code where FusionAuth is the source of identity and Discord delegates user management to it?
We are migrating from another chat provider to Discord and want to enable access only for users who are registered in FusionAuth.
Hi all,
I'm currently setting up FusionAuth for use in our application (React frond-end + NestJS backend). We host FusionAuth ourselves (version 1.49.2), let's say https://fusion.domain.com and my application is running on https://application.domain.com. We've set up a tenant with OIDC.
The top domain is the same, so everything works fine when I go to https://application.domain.com directly.
However, for some use cases, our application will be loaded by external apps in an iframe. These external apps will be hosted on different domains, say https://app.other.com. So far I've not been able to get it to run. I've had a look at this other post without success.
The first issue I have is with the X-Frame-Options header. As per the documentation I've added the domain https://app.other.com in the Authorized request origin URLs so that the X-Frame-Options: DENY is removed. I've also added the https://app.other.com to the allowed CORS origins. This works partially. Sometimes the X-Frame-Options: DENY is indeed removed, sometimes it's there.
However, even when it is removed, the following problem is that the cookies set by the Hosted app are sent back with SameSite=Lax attribute. This means they are not sent on subsequent requests and the authentication fails.
To overcome this issue, I've set up the oauth endpoints myself as described in the express tutorial. Now I can set SameSite=None and cookies are correctly set. But even with that the authentication fails. From what I see, it's the redirection from the OIDC provider to FusionAuth which fails because a code is missing.
I've also tried the following:
- Switch from Cookies to Bearer auth. Using a popup opened by the iframe and try to send back the token to the opener with postMessage. This doesn't work because the opener object is cleared upon redirection to a different domain.
- Try to use a SharedWorker as a channel to send the token. Does not work either because of CSP. The app loaded in the iframe creates a different worker
I'm currently trying to set up a proxy for FusionAuth to be able to control the cookies and their attributes but that seems a bit overkill.
So my question is: what is the standard approach when dealing with such cases? How can I use FusionAuth for my app in an cross-domain iframe?
Thanks and sorry for the long post.
Hello!
Is it possible to use macros in e-mail templates ? I'd like to create some shared HTML template for e-mails which then could be reused in e-mails, similar to how theme templates work, I've tried putting some new macro to theme's helpers.ftl, but email parser seem to not load this file during e-mail generation. Is it possible to somehow abstract the logic for e-mails or I'd have to duplicate the HTML for each email/use some custom scripting etc ?
Cheers
Hi, I'm using fusion auth for my app. I've two IP integrated i.e. Discord and Google.
For Discord I am getting enough details such as
user: {
id: '34343',
discordId: '34434',
email: 'email@myemail.com',
image: 'https://imagelink.png',
name: 'My Name'
}
However, with Google, I'm getting just an email and an id
user: {
id: '43434',
email: 'email@myemail.com',
image: undefined,
name: undefined
}
In Fusion auth, I'm getting the details of user Google. Any idea why I am not able to receive these fields inside my application?
Event Log:
{
"iss" : "hidden data",
"azp" : "hidden data",
"aud" :"hidden data",
"sub" :"hidden data",
"email" : "hidden data",
"email_verified" : "hidden data",
"at_hash" : "hidden data",
"name" : "hidden data",
"picture" : "hidden data",
"given_name" : "hidden data",
"family_name" :"hidden data",
"iat" : "hidden data",
"exp" : "hidden data",
"alg" : "hidden data",
"kid" : "hidden data",
"typ" : "hidden data"
}
I'm working on my own UI, but when I retrieve the SAML Identity Provider (as outlined in this API doc) I don't see the usernameClaim.
Hello, community. I want to share my recent experience in the hope that we can figure out a solution together.
I'm trying to implement an invite flow for our application, which allows users to invite others to collaborate, even if they are not registered in the application. After reading related topics on implementing an invitation flow, I decided on the following process:
- The user specifies the email of the person they want to add to the team.
- The application creates and registers a new user, setting
sendSetPasswordEmailandskipVerificationin an API call. - The new user receives an email with a link to set their password.
- The user sets their password.
- The user is redirected to the application UI to accept the team invitation.
In reality, everything goes fine up until the new user sets their password. They then see an uninformative screen with no instructions on what to do next or where to go. Therefore, I decided to update the templates for several reasons:
- To provide guidance and explanations about what is happening ("You were invited to... after setting your password you will...")
- To instruct the user on the completion page about the next actions and provide a link, or possibly even initiate a redirect to the application using JavaScript.
This seemed like an easy task until I realized that "password reset" and "password set" use the same templates, meaning any changes will affect both flows.
So, I decided to implement conditional branching in the template to display different content for different flows. My first attempt was the simplest possible solution: using a query parameter.
- I added a query parameter to the URL in the "Set password" email template.
- Retrieved it in the template using
request.getParameter. - Added a hidden input to the form.
This worked fine for displaying the form, but after successful form submission, the user is redirected to the complete template without preserving the parameter. So, this approach failed.
Next, I decided to add an additional data field to the user object during creation. If the user does not have an account and the account was created during the invitation flow, it would contain a corresponding boolean flag in the data map/property set. My idea was to access the user object and read the property to identify the flow. If the flag is set, it indicates that the user is not yet properly registered and is definitely not resetting their password.
But this idea was debunked because the "Password set" template does not have the user object in its context. Even though the template has the declaration:
[#-- @ftlvariable name="currentUser" type="io.fusionauth.domain.User" --]
attempting to access currentUser causes a Null Pointer Exception (NPE).
I am out of ideas on how to implement the invitation flow while keeping the user experience less frustrating. If you have any suggestions or even propose a complete redesign of the approach, please do not hesitate to share.