This is a job for javascript and customizing the theme.

For the registration page, modify the oauth register template. Edit that theme, then find where we create the form, marked by this comment in the default theme.

[#-- Begin Self Service Custom Registration Form Steps --]

From there, find the 'register' button.

[@helpers.button icon="key" text=theme.message('register')/]

Change it to disabled by default:

[@helpers.button icon="key" text=theme.message('register') disabled=true/]

Then you need to build the JS which adds/removes the disabled attribute and the disabled CSS class based on the fields that are required. Luckily, we have those fields as a template variable, fields and can iterate that in freemarker.

Here is some javascript. It needs to be below the register button as it references elements in the form above. It builds a list of required fields and then adds a listener to each required field checking to see if any of the fields are empty. I'm no JS expert, so feel free to modify as needed.

<script type="text/javascript"> let reqFields = []; // build a list of required fields in JS from the freemarker template variable. [#list fields as field] [#assign fieldId = field.key?replace(".", "_") /] [#if field.required] reqFields.push("${fieldId!''}"); [/#if] [/#list] [#list fields as field] [#assign fieldId = field.key?replace(".", "_") /] [#if field.required] ( () => { // we're doing this in an anonymous function so we don't get variable collisions. we could have 0 to N required fields. let inputElt = document.getElementById('${fieldId!''}'); let btn = document.querySelector("form.full button"); inputElt.addEventListener("input", function() { let disabled = false; const keys = reqFields.keys(); for (let x of keys) { let reqFieldEmpty = document.getElementById(reqFields[x]).value === ''; if (reqFieldEmpty == true) { // console.log("found: "+reqFields[x]+" to be empty"); disabled = true; break; // any one empty field will mean button is disabled. } } // we've determined if the button should be disabled, now apply it btn.disabled = disabled; if (!disabled) { btn.classList.remove("disabled"); } else { btn.classList.add("disabled"); } }); } )(); [/#if] [/#list] </script>

Feel free to modify this logic as needed to fit your theme.

We have application passwords that are intended for this purpose. More here:
https://fusionauth.io/docs/v1/tech/tutorials/application-authentication-tokens

@xan said in Problems logging in user through C# API call:

when I do "http://localhost:5000", currently it just gets a "localhost refused to connect."?

Generally this happens when the service running on your localhost has some problem resolving the request. If you have access to logs, please see logs for more details on the error. Also, make sure the application interface, server, and services are running. There are many situations that might trigger “this site can't be reached” error in browsers. Sometimes the server is still running but the interface application is closed or the database is down. If your application interface and server is up but a dependent service is down then restart your computer/server and restart services. Make sure the app is bound to localhost. It may just be bound to an individual interface. netstat -na will give you the clues you need. Run a port scan on your computer and make sure the port is opened.

The problem may happens for failing on DNS lookup . DNS is that network address that translates the website name to its internet address. Most often it causes for not getting the internet connection or misconfigured internet or network settings. Another reason could be the firewall preventing Google Chrome to load the webpage. However, other reasons, such as insufficient permissions or the Apache web server not running properly might also cause the error.

Hi babar,

As you said your third-party authenticator deliver access tokens, I guess it is an oauth2/openid provider.
You may use it to authenticate to FA: https://fusionauth.io/docs/v1/tech/identity-providers/

Hi @andrey-dzhezhora,

From our conversation outside the forum:

You are attempting to enforce email verification, i.e. gate users for OAuth password workflow. Your users were able to get a JWT despite not verifying their email address You are using your own hosted oauth/authorize page You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.

Problem:

You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.

If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.

Solution:

The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.

Disclaimer:

If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.

@ctorres

Ah. There's no way to convert cookies. I mean, I guess you could proxy all FusionAuth access through an NGINX instance or something like that, in which case you'd control the cookies, but there's no setting in FusionAuth to modify the cookies. Feel free to open a feature request referencing this forum post if you feel like it'd be a good feature.

For the present, you might be able to make a GET request against the logout endpoint in the window.close event listener.

A bit of googling turned this up: https://stackoverflow.com/questions/6162188/javascript-browsers-window-close-send-an-ajax-request-or-run-a-script-on-win

Let me know if you experiment and find a way to do this; I'd be interested to learn what works.

@dev-2

Resolved in version 1.36.7 via https://github.com/FusionAuth/fusionauth-issues/issues/1654.

https://fusionauth.io/docs/v1/tech/release-notes#version-1-36-7

@dhait

You should copy the default theme (which is immutable) and then modify the CSS file.

https://fusionauth.io/docs/v1/tech/themes/#templates has some documentation:

Stylesheet (CSS) Optional This CSS stylesheet may be used to style the themed pages. This CSS will be included in the head tag in the Helpers head macro. You may also choose to include other remote stylesheets by using the <style> tag within the head macro.

Created the github issue - https://github.com/FusionAuth/fusionauth-issues/issues/1795

Update: Never mind apparently, cleaning the project seems to have did the trick and I am able to use the client without issues. I will post back if I encounter other issues. Thank you!

@dan Oops! thank you so much Dan, it worked as a charm. I was fooled into leaving this header in because I tried the exact same request setup using one of these free api endpoints instead of fusionauth api and it worked with the content-type included. Thanks again

@vince Hmmm. That sounds like a network connectivity issue. Googling for Client network socket disconnected before secure TLS connection was established shows that a lot of folks have proxy issues.

Can you run curl on the same host and see if you can get to FusionAuth successfully?

@jbtruffault Glad you figured it out, and thanks for sharing that link!

@fusionauth007 yo! I filed a Github report on this, check out Trim whitespace from user input on backend (username/emails) #1779

I’ve detailed a workaround we’ve got running in prod 👍

@alton

Does FusionAuth have an equivalent to Auth0 Organizations (B2B scenario) where users can log into the same organizations as their team members (colleagues).

The best way to model that is using entity management: https://fusionauth.io/docs/v1/tech/core-concepts/entity-management

We unfortunately don't have a sample application showing this behavior, but know that folks have implemented that type of behavior using this feature.

Also invites can be sent to email addresses for pre-registered users (with configured roles) under the same organization/company.

Some FusionAuth community members use the Setup Password template (which is sent whenever a user is created via the API without a password) to offer invite-link functionality.

@arjunyel

Connectors are documented here: https://fusionauth.io/docs/v1/tech/connectors/

Machine to machine auth is the client credentials grant: https://fusionauth.io/docs/v1/tech/oauth/#example-client-credentials-grant

Does 100 Machine To Machine Auth mean you can have 100 API entities?

Yes, that is correct.

@dan unfortunately not yet in production due to issues not depending to me... but the cluster seems working... I also succeed to perform a software upgrade to the latest fusionauth version.

@jared GitHub issues are the right place for feature requests, thanks!

There's an 'additional context' section for feature requests, and you can feel free to link back to these forum posts. That can help enrich the discussion when the eng team reviews requests to prioritize them.

Cheers!

@crystar Another choice would be to utilize custom integration code in order to set a cap on the number of sessions (refresh tokens) that a single user is permitted to have scoped to them.