As of July 25, 2023 we now support Unlimited Custom Domains for FusionAuth Cloud! You can read more in this post, on how to add a custom domain.

As of July 25, 2023 we now support Unlimited Custom Domains for FusionAuth Cloud! You can read more in this post, on how to add a custom domain.

As of July 25, 2023 we now support Unlimited Custom Domains for FusionAuth Cloud! You can read more in this post, on how to add a custom domain.

@andrew-1 Thanks for sharing the fix! Appreciate it!

@chris-lees Does M365 support the prompt parameter? It looks like it does.

I'd look at adding that parameter to the authorize URL that FusionAuth is generating. If you want to prompt the user every time, you can add it in the Identity Provider configuration. If you want to do it occasionally, I'd look at writing some javascript to append it to the URL in the themed pages.

Hi @nadav ,

What version of FusionAuth are you using?

What does the error log say when you turn on debugging?

Hi @pawel-prochal ,

It sounds like you want to make a request against a FusionAuth search API using a JWT issued by FusionAuth to authenticate that API request?

Unfortunately not all FusionAuth APIs use JWT authentication. User search is not one of them.

If I were going to do this, I'd build a small proxy that took a JWT and held an API key. It would examine the JWT and then make the user search API call using the API key.

Let me know if I misunderstood something.

Hi @nadav

Thanks for using FusionAuth.

What version of FusionAuth are you running?

What do you see in the error event log?

Hiya @kirill-melnikov-dev-test

Thanks for using FusionAuth!

What version of FusionAuth are you running?

Have you tried the redirect method instead of the popup method?

What do you see in the Error Log when you turn on debugging?

You can also try a straight OIDC Identity Provider.

Hi @rob-aitken ,

Thanks for using FusionAuth!

If you are seeing a 429 and are using FusionAuth cloud, you are being rate limited by our web application firewall. Our rate limits are not publicly available and may change over time, but are pretty generous. I'd check to make sure you are calling FusionAuth appropriately and/or using exponential backoff when getting a 429.

You can also file a support ticket using the account portal if that's helpful.

More information here: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#captcha-and-rate-limits

@jvadaliya Hiya,

I think you need to call the hosted backend logout endpoint to delete the cookies it sets.

Thanks for using FusionAuth!

@apetrescu Sounds like a fun problem!

You are correct that entities are the best approach for this while staying entirely within FusionAuth. We don't have a lot of guidance on best practices around entities that I can share, unfortunately.

Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

You might think about making an intermediate entity such as CompanyAbcAdminRole or CompanyAbcManagerRole, which would have permissions for admin or manager actions on CompanyAbc. Then you could atomically grant or remove CompanyAbcAdminRole to a user while leaving CompanyAbcManagerRole assigned.

Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

Why would you need to do so? Is your user going to be accessing all the Companies at one time? In this case, I might offer the user the ability to choose a Company to 'enter' and create a JWT based on that action. You'd create an Company 'chooser' based on their grants to allow them to pick between the companies they know about.

If you'd like to discuss this more, consider talking to our sales engineers.

Another option is to, as you said, not use FusionAuth entities. You could instead use FusionAuth for authentication, then feed the resulting JWT into a solution like permit.io, cerbos or oso (or something home grown). You'd use that other system as the authorization solution.

Hope this helps.

When a user expires, login will fail with a 410 status code, but we do not treat this as a user deactivation. We do not yet have an event for user expiration, it really only keeps the user from logging in.

https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-deactivate

There are no hard limits as to the number of users you can add.

If you notice any load spikes, you can always batch the work into multiple API calls.

This is possible using the user API

https://fusionauth.io/docs/v1/tech/apis/users

First GET the current user, identify the two-factor method you want to disable. Below you can see where the twoFactor method has one called "authenticator"

Example:

{ "user": { ... "twoFactor": { "methods": [ { "authenticator": { "algorithm": "HmacSHA1", "codeLength": 6, "timeStep": 30 }, "id": "35VW", "method": "authenticator" }, ...

Remove the object for "authenticator" and then then make a PUT call against the same User object to update.

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Please note:

This will allow you to administratively remove a 2FA method from a specific user, and it will leave the recovery codes intact if there is at least one remaining 2FA method configured for the user. If you only have one configured method, and you remove it, the recovery codes will be cleared, and then re-generated next time you enable 2FA on the user.

You can customize the message the user will be presented within the messages bundle of a theme (Themes > Your Theme > Edit > Messages). In this case, you will want to modify the following message key.

[UserLockedException]=Your account has been locked. Please contact your system administrator.

You can modify this message to your requirements

[UserLockedException]=FooBarBaz

Your modification will be displayed to the end user.

found variables for other messages displayed to the user as part of the Login Flow, but not for the Account Lockout Message.

I find exporting the entire message bundle first (by "selecting all" <CTRL + A> from the admin UI) and then pasting the result in a code editor to find a message key is sometimes easier. We do have some adjacent documentation here.

For reference only, our Theme API is also available here

Yes, just as you can store custom data on a user, you can store custom data on a tenant.

It is the tenant.data field, as documented here.

However, the tenant.data field differs from `user.data in a number of ways:

it is not searchable it is not retrievable in the populate JWT lambda, except by using Lambda HTTP Connect

This is now documented here: https://fusionauth.io/docs/v1/tech/themes/client-side-password-rule-validation

@piotr

1.30.1

This is quite an old version of FusionAuth, just FYI.

Why FusionAuth calls IdP's /oauth2/token before it calls my callback if it does not keep access/refresh tokens?

FusionAuth does keep the refresh token.

What is this 43-character code FusionAuth sends to the callback if I can't use it for anything? Most importantly, I can't use it for fusionauth.io/api/identity-provider/login.

The login API and the Authorization code grant are two separate ways of logging the same user in. They have different strengths and weaknesses, but in general you can't move between them.

You should be able to provide that 43 character code to the /oauth2/token endpoint and get back a response.

Hope this helps!

@filippachucki2000 It's hard to give advice without knowing more, but if you have a proxy, make sure it is correctly configured:

https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup

Did you end up resolving this?