@impackt Great, glad you have a path forward.

@tashi said in Using native apple sign in:

[SUCCESS]

We found that apple native sign has a way to get the authorization code using their sdk. mcdvoice
ASAuthorizationAppleIDCredential::authorizationCode
We are using that property to pass in the place of code for the api call to api/identity-provider/login.

API: [POST] - api/identity-provider/login

{ "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": { "code": "c4cb505812c5343798fa8478cf9c64fa9.0.srzss.wUaW_U9LTn24TjiKdaPKMQ", "redirect_uri": "", "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY3MDM1MjkzMCwiaWF0IjoxNjcwMjY2NTMwLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6IjJTY1R6YUZySmxKYVU3c2ppNGtiWEEiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NzAyNjY1MzAsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.aVRm7_i1Cn7gyy6NxspZRNta6LaI6knitgGkgIsNkzskxbHXJfMUQbbTE9sYL9xUDpfi-si7sGPRdlvnKCOqtXUKcE0hiHsCOgOQykP1mLrd27qaYiwa__vd9EdWgPYPnujulaI14L1lfvT79Ss_mxOeJiwpsXoy3VI4vRpI7LNHU_QguSD2xFV9ZX-WwOJCzfqFl7dMPOnISYgu1sVjO2couokzlwZEkv96yBQqRByOeeQ0jOVvURJ_FpLuQ2jj0xs5U2S-vvkDStVWuiSiKQIiwons-aHdXAjB__3ASfQamntl1AHCMZWTSaSlh5C1zxSZdH4NQhd-eR4m_wZej" }, "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"

RESULT:

{ "refreshToken": "tRbop7_4hhKsdp2XVBLuJwvVWlf030cd2-AzJGQSnY8xLI6THtbVhQ", "refreshTokenId": "28b74a97-4286-4259-bc46-c8857f59fe73", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUxMmQxMzQzYSJ9.eyJhdWQiOiJiYzMwNTZhYi1lZGI1LTQyYTItYWY0NS1iNGY4MTY2ODk5OTciLCJleHAiOjE2NzAyNjY2MjYsImlhdCI6MTY3MDI2NjU2NiwiaXNzIjoidXJiYW5zaXR0ZXIubmV0Iiwic3ViIjoiZTRhZTcxZWQtYzEzNy00YmUxLTg2ZDEtMjQ0MTYwNjY3YzBlIiwianRpIjoiZTY3M2U2YmEtODc2Yi00YjY2LTljYjEtNDdjZGVlMzZjNzM3IiwiYXV0aGVudGljYXRpb25UeXBlIjoiQVBQTEUiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFzaGktYmh1dGlhIiwiYXBwbGljYXRpb25JZCI6ImJjMzA1NmFiLWVkYjUtNDJhMi1hZjQ1LWI0ZjgxNjY4OTk5NyIsInJvbGVzIjpbXSwic2lkIjoiMjhiNzRhOTctNDI4Ni00MjU5LWJjNDYtYzg4NTdmNTlmZTczIiwiYXV0aF90aW1lIjoxNjcwMjY2NTY2LCJ0aWQiOiJmMmM0OTQ3Ni1hNzdhLThmZDItZDQxZC0wMjA2ODA3NjNlZDQiLCJkYXRhIjp7ImlkIjoiMTExMTM5NiIsInJvbGVzIjpbIjUiXX0sImN1c3RvbSI6ImN1c3RvbSJ9.BCGm0b1GHTPKuQRi0VrhqxPX6kGOB-rwkkkuYn3gkm", "tokenExpirationInstant": 1670266626871, "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "data": { "id": "1111396", "roles": [ "5" ] }, "email": "janesmith11223344@gmail.com", "fullName": "null null", "id": "e4ae71ed-c137-4be1-86d1-244160667c0e", "imageUrl": "https://assets-local.urbansitter.net/assets/img/us-default-avatar-320.png", "insertInstant": 1669939131457, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566856, "memberships": [], "passwordChangeRequired": false, "passwordLastUpdateInstant": 1669939131538, "preferredLanguages": [], "registrations": [ { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": {}, "id": "c1ed7f48-f29c-483b-a3a4-381c834327a4", "insertInstant": 1669939131544, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566860, "preferredLanguages": [], "roles": [], "tokens": {}, "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "f2c49476-a77a-8fd2-d41d-020680763ed4", "twoFactor": { "methods": [], "recoveryCodes": [] }, "uniqueUsername": "jane-smith", "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } }

Thanks for all the help.

Very helpful and informative. Thank for sharing this post.

@paul-fink marking this thread as being addressed out of this forum band.

-Josh

@david-moreno

Is this still an open issue for you? If so, including the debug information (and turning on debug for the SAML IdP can be helpful) as you complete the SAML handshake.

Josh

@leandro-menagonzalez Sorry - I was traveling for a bit and then under the weather.

Were you able to resolve this?

If not, my understanding is that this would be a mapping problem. Essentially, Google would have to be instructed to send over a profile pic url, and FusionAuth would consume that in the AuthN response. Further, a reconcile lambda can be used to grab this URL attribute and store on the user, etc. Let me know if I am misunderstanding the issue.

Josh

@dan said in I really want a client library for <language X>:

All of our client libraries are open source (Apache2 license). At present we use this open source project to build them.

If you are interested in support for a language (let's say Lisp, because it's so cool 🙂 ), then take the following steps:

Search our github issues to make sure there isn't already a request (see C++ and Elixir). If there is an issue present, vote for it. If not, add one.

If you want to take a crack at building the Lisp library, please file an issue as above and indicate your desire to help. How it works:

We start with a JSON DSL to define each API ( https://github.com/FusionAuth/fusionauth-client-builder/tree/master/src/main/api ). We then build the code using a template, for example, here is the ruby template : https://github.com/FusionAuth/fusionauth-client-builder/blob/master/src/main/client/ruby.client.ftl This ruby template then produces the ruby client: https://github.com/FusionAuth/fusionauth-ruby-client / https://github.com/FusionAuth/fusionauth-ruby-client/blob/master/lib/fusionauth/fusionauth_client.rb So for Lisp, find the language most like it and then copy the client template (here's Ruby's), copy it to lisp.client.ftl and start hacking on it. This lets us keep the Lisp client library current for each of the API calls and we can build a new client each time we release. I use these libraries all the time, thanks. But I'm still not up to the task. I'm still getting in the way of this crazy college thing. It's good that there is an essay service they help me quickly, but not for free, although they have 24/7 support.

I use these libraries all the time, thank you

If you want to use FusionAuth to secure access to an application (running in Docker or elsewhere) that doesn't have any security, you can use a proxy to do so.

The proxy sits in front of the application and all traffic should go through it. When it sees an unauthenticated user, it forwards that user to FusionAuth, where the user logs in and generates a token. Then the user is forwarded back to the proxy. The token is parsed by the proxy and if the token is valid the user gets access.

This can be done in concert with any proxy that supports JWTs and OIDC.

I've heard of this being done with HAProxy and Kong. Here's an HAProxy tutorial. Here's a Kong tutorial. Here are instructions on how to do this with ngrok cloud edge, which may be useful for the overall flow even if you don't use that software: https://fusionauth.io/docs/v1/tech/developer-guide/api-gateways/ngrok-cloud-edge

Hope that helps.

Hmmm. I'm not quite sure what is going on. Have you been able to debug this?

@atakan , you wrote the linked forum post, did you run into this?

FusionAuth doesn't use a local mail queue at all. It connects to whatever mail server you have set up at the tenant level.

Here are some troubleshooting tips to try: https://fusionauth.io/docs/v1/tech/admin-guide/troubleshooting#troubleshooting-email

@quent We have a list of typical cookies set by the hosted login pages here: https://fusionauth.io/docs/v1/tech/reference/cookies

@craiglistt What particular issues are you having?

@anand-murugan-0 I run FusionAuth in ECS/Fargate. I don't know about the clustering side, but to make standing up a FusionAuth instance automated I needed to do 2 things:

enable Silent Mode https://fusionauth.io/docs/v1/tech/guides/silent-mode which skips the first boot / migration page. This required passing in database credentials as env vars, so that Fusionauth doesn't need to ask you for them.

Use a kickstart.json to configure an API key https://fusionauth.io/docs/v1/tech/installation-guide/kickstart#using-environment-variables

Adding a kickstart.json file to a docker image in ECS is a bit non-trivial (either with EFS or S3). So I made my own Dockerfile:

FROM fusionauth/fusionauth-app:1.38.1 ARG FUSIONAUTH_APP_KICKSTART_VALUE ENV FUSIONAUTH_APP_KICKSTART_FILE=/tmp/kickstart.json RUN echo ${FUSIONAUTH_APP_KICKSTART_VALUE} > ${FUSIONAUTH_APP_KICKSTART_FILE}

When running docker build, if you pass in an argument like

docker build \ --build-arg FUSIONAUTH_APP_KICKSTART_VALUE="{\"apiKeys\": [{\"key\": \"42\" } ] }" \ .

will build and write out a /tmp/kickstart.json file and tell Fusionauth to look at that path when it starts up. NOTE: any random value would work, I picked 42 for simplicity, don't use this in Production.

With those 2 things, ECS will start a Fusionauth instance that doesn't prompt for initial installation (assuming you pass in db credentials as environment variable) and will

Hi Guys,
Your reply helped me as well. Thank you. I'm still struggling with the issue of rewriting /admin when using subpath.
When I click login icon I'm redirected with 302 to $host/admin not $host/fa/admin
This happened after I updated my FA.

location /fa/ { proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'href="/admin/' 'href="/fa/admin/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; proxy_pass http://localhost:9011/; } location ~^/(?<fusionPath>(oauth2|admin|ajax|login|password|js/identityProvider))/ { proxy_pass http://127.0.0.1:9011/$fusionPath/; # https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup#how-to-use-a-proxy proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/admin' 'src="/fa/admin'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; }

the built-in domain blocking is documented here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#registration-domain-blocking

However:

It only blocks specific domains so you can't block 'all domains except ' It requires an enterprise license

As an alternative, consider a registration transactional webhook which could examine the domain provided by a user and fail if it didn't match a list of your domains: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create

Proxy servers can store cached copies of sites. You will get the data from the proxy when you access a particular location.

@sander

Thanks for the update. We're bummed that we can't include the mysql connector as part of the docker image.

If FusionAuth is stuck in maintenance mode, this thread might prove useful: https://fusionauth.io/community/forum/topic/135/can-t-get-by-maintenance-mode

Can you give me any more details about the issue?

Hi @cgonzalez

Can you confirm how quickly you are completing the exchange for a token using the code?

"auth_code_not_found"

The code may not be available if:

It has expired or It as already been used to obtain a token.

Thanks,
Josh

@pclark

Just checking in, albeit a bit later than anticipated. Was this resolved for you on the latest version of FusionAuth

-Josh

@leandro-menagonzalez

This can be solved by using client-side validation in your theme for the corresponding forgot password page. On the authorize page you would pull in JS to check the users email in any manner you see fit.

https://fusionauth.io/docs/v1/tech/apis/themes
https://fusionauth.io/docs/v1/tech/themes/

Josh