@joshua After digging deeper in the code it looks like this is actually a shared configuration file between the frontend and backend (which was a little confusing). But it doesn't look like the client actually uses the secrets or apiKey which is what I didn't think was safe. So I think I am good for now. Thank you for following up with me.

I'm understanding the Node JS side more ... I may be able to replicate this behavior in Spring Boot. If so I'll share my findings and maybe you guys can add this to your examples for future users.

@lsmith

This seems about right. Will review.

Thanks,
Josh

@emudojo Sorry for the delay

Were you able to figure this out?

Our documentation covers some nuances to the put/patch for this endpoint which you may be experiencing here.

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Thanks,
Josh

@evgeniya-gabrikova Thanks so much for coming back and sharing your solution!

Avoids the "Wisdom of the Ancients" problem: https://xkcd.com/979/

Hi dan,

Thanks for the reply, I ended up storing permissions in the user.data field.

I hope you'd consider adding the "entity grants to permissions" of the client credential flow in the authorization code flow in a future release, entity fits many needs and may ease integration.

We appreciate FusionAuth is very flexible, you're doing a great job 👏

Future Viewers Note:

This can be obtained via the User API

https://fusionauth.io/docs/v1/tech/apis/users#retrieve-a-user

You can view the user's registrations in the response:

user.registrations [Array]
The list of registrations for the User. This will include registrations for inactive applications.

The tenant is using the "Default signing key (HS256)" for the access token.

@andrey-dzhezhora

Hmmm. What does the login API return as a status code. My guess, from reading the docs, is that it returns a 212, as specified here: https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user

This is still a kind of success, and if you are using the Login API, you are expected to consume the response codes and make appropriate limitations based on that.

Does that make sense?

If, on the other hand, you are getting a 200 for this user, that seems like a bug. Or at least something is going on that I don't understand.

Anyone seen this issue. I am still having this issue.

@nmetchev @dan same issue but using with silent mode is ok.

@utahtwo I tried that and was unable to make it work a few months back. @joshua filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1532

The simplest solution if you are self hosting is to run a different instance of FusionAuth on a different port against a different database. I've done that successfully.

@joshua

I have inserted the code and id_token in the API call as you mentioned and
My logs had been cut off, The following are the complete logs,

Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775] 7/7/2022 12:18:37 PM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTcyODI1NzcsImlhdCI6MTY1NzE5NjE3Nywic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiWTRsTVlESkRITHdteldpc3FzbTY2ZyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjU3MTk2MTU5LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.aK7dDZdZSue6gCpmba0YL8PVX2qkbru-4DE0NNNBKBKnqN2uFmwgbcjYRqb-jj4UIKCibDcUSsd4mbD9wRHK4o8rH8M_ZCBdgJ8cIr1sx8JTQ7M1BOSyap7GsxWzPdR_stCJn7xWBeUulRtpWdemj-H3_6DwMQak0E4IG2ZxAdTwmTz464FGynmbmXQaKBqqLJP5WXFagLHZNFZeCd9Tr458B3__KGcPni912IwHLl1Yhhn-oqLm7RU5Ck5iTPZfvW2oZwljtdilCONVzXHsyHnL0hPZcvzrlxWXxXhljpg_VeuS-M53amL2JgAQRjloFARBqfRWW3zt5qdRYVYl1w] 7/7/2022 12:18:37 PM GMT Decode the [id_token]. 7/7/2022 12:18:37 PM GMT Assert the [iss] claim is equal to [https://appleid.apple.com]. 7/7/2022 12:18:37 PM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo]. 7/7/2022 12:18:37 PM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value []. 7/7/2022 12:18:37 PM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [47DEQpj8HBSa-_TImW-5JA].

We managed to figure it out. It was a build error where IntelliJ was not updating the dependency. Thanks for the help.

@t-vanherwijnen said in Choose/pick application flow:

Can you explain how?

Ah, there's no way to stop them being set on the FusionAuth side, sorry for the confusion. But your application, which gets the access token in a request from your client, can certainly choose to ignore any cookies it receives.

That's what I meant.

If you'd like to be able to configure FusionAuth to not send the cookies, that'd definitely be a feature request. Please feel free to file one: https://github.com/fusionauth/fusionauth-issues/issues

I'm also facing the same issue. When someone send me email. I am totally unable to get it in my inbox or spam folder. What is the appropriate solution to come out from it.

@ezeilo-su This looks like it got cut off. Can you re-post?

@quanluong1102nd this thread might be helpful: https://fusionauth.io/community/forum/topic/2054/fusionauth-websockets

Bug filed here: https://github.com/FusionAuth/fusionauth-issues/issues/1740