@ken

Hiya,

The information about whether an application has an IdP configured for it is stored on the identity provider object, not on the application.

So the easiest way to answer your question is to retrieve all the identity providers (or one, if you have a target), then filter through the JSON looking for your application id.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/#retrieve-all-identity-providers shows how to list all Identity Providers.

If you look at the results, you'll see a field similar to:

"applicationConfiguration": { "1c212e59-0d0e-6b1a-ad48-f4f92793be32": { "createRegistration": true, "enabled": true } },

for each of the identity providers.

The applicationConfiguration has keys, each of which is an application Id.

Does that help?

@pclark

Thanks for sharing this. I filed an issue based on your helpful post.

@ken

Hiya,

Sorry, I'm a bit confused.

What version of FusionAuth are you running? Which type of identity provider are you setting up?

I just logged into our sandbox instance: sandbox.fusionauth.io and was able to add an identity provider and edit it and saw the "Linking Strategy" both times.

Thanks,
Dan

@yb98

Heya, this isn't something we document, so it is considered an implementation detail that could change at any time.

You could file an issue asking this to be codified and documented, but I'm not sure we'd do that. It's more likely we'd do something like this: https://github.com/FusionAuth/fusionauth-issues/issues/1515

Thanks for using FusionAuth!

You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

I faced the same error when displaying YouTube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s

I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s

It works well.

Try to apply the same rule on your case.

SAMEORIGIN

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

@voidmain Thank you!

@etienne-caldo Hey Etienne, this is a good question, there is some context that goes behind it and usually we would want to have a discovery coffee session to elaborate on the matter. Let me know if this is of interest to you.

No.

You can't explicitly revoke an access token in FusionAuth. We don't support RFC 7009: https://www.rfc-editor.org/rfc/rfc7009.html and based on the number of upvotes for this, I don't know if the community wants us to: https://github.com/FusionAuth/fusionauth-issues/issues/201 But if you do, feel free to upvote that issue.

If you want to have an access token become invalid, you have to manage it yourself. That is what is outlined in this article.

The process is basically:

set up webhooks to fire to all the resource servers when a refresh token is invalidated (when the user logs out) listen for that event, and when it occurs, record the user with the invalid token in the resource server (in redis, db, etc) next time an access token is presented, verify that it is not for a user who has logged out

If you want to handle the case where a user logs out, then logs back in quickly, then the time based logic in the Webhooks section here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts needs to be implemented.

Thanks for the update!

For future readers, @duke wrote up an entire article about this: https://medium.com/@osain/deploying-fusionauth-docker-on-fly-io-8fbeb0469556

@t-vanherwijnen

Thanks for the question! I believe that you might want to reference this bit of doco

https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#optionally-send-the-code

Thanks,
Josh

Got the right answer in the Slack channel – I needed to update the theme templates too 🙂

@support-0 also, what version of FusionAuth are you running? There were some issues with the SMTP debug log that were resolved in 1.37.0: https://fusionauth.io/docs/v1/tech/release-notes#version-1-37-0

@dan

Thanks!
I made the new issue https://github.com/FusionAuth/fusionauth-issues/issues/1907

@prawee

Glad to hear it. Issues such as this can require a bit more context to debug. Feel free to post log output if the issue persists or log a bug report below (if considered a bug)

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

@steven-bedford

We may need more information regarding your setup. If you feel like you are having a bug, I would encourage you to log one below:

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

Updated the documentation to reflect where the claims are pulled from more precisely: https://github.com/FusionAuth/fusionauth-site/pull/1636

Please do let me know about the escaping of the claim when you get a chance, @nathan .

@lsmith said in 2FA On Login:

Is it possible to have Two Factor Authentication in conjuction with Google and OpenId Identity Providers when using the hosted login pages?

Nope. This is because when you are using an identity provider, the identity provider is assumed to have done everything needed to authenticate the user. FusionAuth is delegating everything to that.

You could, if you need to, immediately do a "step up" auth in your application, but FusionAuth won't take care of this for you.

If you'd like to submit a feature request for this further explaining your use case, feel free to do so (you can reference this forum post): https://github.com/fusionauth/fusionauth-issues/issues

@kayweng-foong

How I can use OAuth authorize endpoint without fusionauth login UI ?

It depends on which grant you want to use. If you want to use the Authorization Code grant, which is what we typically recommend, then you are going to use the FusionAuth login UI (which can be customized via themes).

If you want to use the password grant, you can build your own UI. There's more on that grant here: https://fusionauth.io/docs/v1/tech/oauth/

If you don't care about using OAuth at all, but just want login functionality, you can use the Login API: https://fusionauth.io/docs/v1/tech/apis/login

If you want SSO between different applications, however, you need to use the Authorization Code grant. You are right, there's other related functionality (cookies, etc) that is required for SSO that is managed by the FusionAuth UI (often called the "hosted login pages").

There's an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/1515 to allow for more management of the SSO session via API. Please feel free to upvote this issue and/or add your use case to the comments, as that helps us with our roadmap planning.

@charles-harris-de

Hiya,

Microsoft documentation is abundant and confusing, but this SO question seems to give you an answer: https://stackoverflow.com/questions/66643625/azure-ad-fetch-tenant-id-using-client-details

They suggest using the client credentials grant and retrieving a token. You'd have to use Lambda HTTP Connect to make this call from inside one of the FusionAuth lambdas.

I have not tested this. Please let me know if you found other workarounds or solutions.