@daniel,

Glad you are trying us out! I will do my best to address your questions.

if the API is an Entity, and mobile app is an application, how roles will be designated to users for the APIs? How do we access them there? Is it done via same approach as in Auth0?

Are you saying that you are looking to have the same roles (they are called permissions the entity types) assigned to an entity and a user? I may need a little more context to better understand. Maybe you could outline how you are expecting this to work in practice.

Side note, we have documentation on this to be found here (you may have already reviewed it).

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/entity-management/
https://site-local.fusionauth.io/docs/v1/tech/apis/entity-management/#undefined

Also there is a question about using Roles by tenants - as we plan to create those roles, while Tenants will be assigning them to their users, is that actually possible?

Roles are scoped to an application per documentation. I might need some additional clarification/context to better address.

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/roles/#overview

Let us know. Happy to help as able!

Thanks,
Josh

@ubaid-rehman

My recommendation would be to use our troubleshooting steps for email.

https://fusionauth.io/docs/v1/tech/troubleshooting/#troubleshooting-email

Especially as it pertains to below.

Enable debugging by navigating to Tenants Your Tenant Edit Advanced SMTP Settings Additional properties and add mail.debug=true.

Let us know if you still have trouble after a further review.

Thanks,
Josh

Hiya @adrian-wild

To confirm, you are using the elastic search search engine?

And the numbers in the list you provided are the number of results you get?

Hiya,

This is an open feature on our issues list:

https://github.com/FusionAuth/fusionauth-issues/issues/77

We want to get to this, but don't have a fixed timeline for this feature right now. Here is our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap/

Hope this helps.

@samet @kbi @shaunladd

After talking some more with colleagues, this error behavior related to your Nginx configuration and not related to FusionAuth directly.

You can check out two reverse proxy repos that are community maintained below for further guidance:

https://github.com/FusionAuth/fusionauth-contrib/tree/master/Reverse Proxy Configurations https://github.com/FusionAuth/fusionauth-containers/pull/61

As I often have to remind myself, when deals with layers of abstraction, it is always best to start with the simplest base layer and build from there. So in this case, a good approach may be to expose the FusionAuth node directly and try to get it working without a proxy. Or try getting a proxy working with FusionAuth on a VM/docker locally (as opposed to the cloud/remote), just to remove variables.

I hope this helps!

Thanks,
Josh

@yb98 thanks for explaining. I don't see an easy way to do what you want with kickstart alone, since you can't set the age of the password programmatically. The same issue would occur if you did this all via an API. The only thing I can think of is to apply the password complexity rules 1 day after system startup. A pain, I know, but that's the only path I see that would work.

@thiago-benvenuto

Additional details can be found here

https://fusionauth.io/community/forum/topic/1118/can-i-get-permissions-granted-to-a-user-against-an-entity-in-an-oauth-grant

I have filed an issue below. Feel free to expand or add your own comments as needed.

https://github.com/FusionAuth/fusionauth-issues/issues/1295

Thanks,
Josh

@innospaceauto,

There are a couple of steps that you can take to remedy this.

The first step is to turn on the mail debug logs.

mail.debug=true in the advanced settings on the tenant.

The second step is to confirm that you are able to send a test email.

Additional details can be found in our troubleshooting guide.

https://fusionauth.io/docs/v1/tech/troubleshooting/#troubleshooting-email.

Finally, Gmail, especially with recent security upgrades, may require you to have MFA enabled or not allow apps to access its SMTP servers unless specifically allowed.

I was able to get a test email to send from my personal account by generating an "application password" and using SSL to send.

https://support.google.com/accounts/answer/185833
https://support.google.com/mail/answer/7126229?hl=en

I hope this helps!

Thanks,
Josh

@bergraan,

One more note:

You will want to ensure you are using the client_id on the URL.

To that end, after discussing with the team, I think your URL's may be broken:

Example good URL --> http://localhost:9011/password/change/<code>?<tenan_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&<tenan_id>

should be
⬇ ⬇ ⬇

Example good URL --> http://localhost:9011/password/change/<code>?tenantId=<tenant_id> Example bad URL --> http://localhost:9011/password/change/<code>?client_id=<client_id>&tenantId=<tenan_id>

I hope this helps!

Thanks,
Josh

That's a bummer about the database backup! Sorry to hear that.

https://fusionauth.io/community/forum/topic/1117/how-can-i-downgrade-an-instance has some advice.

There's no straightforward path, unfortunately.

@richb201

The documentation says that this is optional. But not in my case.

Can you elaborate on where you found this in the doc?

The error should say missing "X-FusionAuth-TenantId"

Can you elaborate on this?

When I get back the "code" do I need to manually convert it to a token, or is this done automatically?

You may want to review our OAuth guide. Using a OAuth2 flow, it is common to have two separate endpoints (authorize and token) to obtain access. The "code" is returned from FusionAuth and is used (in conjunction with a few other possible factors) to obtain an access token (in our typescript client, this is the client.exchangeOAuthCodeForAccessTokenUsingPKCE function)

We do have a few tutorials as well, that show this in action (nodeJS tutorial being one of them)

Lastly, for general housekeeping's sake, this thread is getting a bit long, with a few related posts clumped together. For future questions, if the question is unrelated to the posts immediately above, it might be good to open a new thread.

Hi @gustavo-moreno,

I have removed this post as this is solicitation-focused and at a minimum off-topic for this forum.

Please see our code of conduct here:
https://fusionauth.io/community/forum/topic/1000/code-of-conduct

Thanks,
Josh

You should be able to use the LDAP connector but when configuring at the tenant, set Migrate User to false.

That will ensure that the user data doesn't migrate to FusionAuth. I realize this doesn't address your desire to not grant FusionAuth read credentials. Feel free to file a feature request for that specific feature: https://github.com/fusionauth/fusionauth-issues/issues

Ideally, a user would attempt to log in with their LDAP credentials into FusionAuth, and then FusionAuth would forward these credentials to LDAP for authentication.

If this is a requirement, you could do this using a lightweight JSON API you write which talks to LDAP and a generic API connector: https://fusionauth.io/docs/v1/tech/connectors/generic-connector/