@alan-wood Hmmm.

First, thanks for filing the issue. I appreciate it.

but there is no call when the one-time JWT refresh token is "re-used".

Second, I'm pretty sure the webhook idea will work. Here's my thoughts:

User 123 logs in, gets refresh token A Use refresh token to get a new (access token, refresh token) pair System catches jwt refresh event and records token A for this user (so the userId 123, token A pair). It generates token B. Use refresh token A again to attempt to get a new pair, this fails [so far so good] The webhook should fire again and records that token A was used again (by looking up the refresh token value in the pair). Uh-oh! Fire off an event to revoke all refresh tokens for the user 123: https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens Using refresh token B will fail, because all refresh tokens are revoked.

Have you tried this approach? What am I missing?

@sujata-kattimani No limits.

Here's a list of FusionAuth limits: https://fusionauth.io/docs/v1/tech/reference/limitations

From the "What's not limited" section:

All other objects and configuration, including but not limited to the following, are limited only by the resources of your system: Users Applications Tenants Roles Groups Identity Providers such as SAML or OIDC connections API keys to allow for programmatic configuration of and interaction with FusionAuth Supported languages/locales Signing and verifying keys MFA methods per user

You are, of course, limited by your resources. If you try to load 100M users into a FusionAuth instance running in 256M of RAM, there's no guarantees the server won't fall over.

Also, if you are using the Starter license, you have a limit on MAUs. But for all other editions, no limits on users.

@dan I have filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1627

BTW I have successfully implemented Facebook social login using Complete Facebook Login api which is actually the same endpoint/api as of Complete google login but with a different identity provider value. It's quite a weird behavior that that api is working with facebook but not with google. 😞

Could you guys please take a look over it? Or I am missing something in case of google login if it needs some configuration.

The doc should be updated now, @sh

Sorry about that!

Fixed the problem on my own, for everyone running into this problem too. Check your redirect uri in config.js and your fusionauth dashboard.

In my case I got redirected to:

http://login.ruffyg.de/oauth-callback?...........

but of course it has to redirect to my express server which is on port 9000 so:

http://login.ruffyg.de:9000/oauth-callback?...........

@dan Sorry I didn't get a notification that you'd replied, so my apologies that I didn't see that sooner. I'll try moving to the latest version to see if that helps before reporting back.

When I changed the user's password manually in FA (change on next login was still enabled), it then allowed the password to be changed properly via the API without any Trust Token.

@agbichpuriya

The private RSA key should not be present in your JWT. The public key should not be present either, but a kid should be present in the header identifying the public/private keypair that was used to sign the JWT.

Please share a sample JWT with this issue.

@sswami Thanks!

Please file a feature request here: https://github.com/fusionauth/fusionauth-issues/issues outlining your use case. We love community feature requests and weigh community support (in terms of upvotes) when considering future work.

Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

@owen-melbourne If you are using FusionAuth Cloud and see this, please open a support ticket.

@johnanisere

I'm not quite sure what you are asking for. Are you using FusionAuth hosted login pages? If so, the 'sign in/sign up with google' button should be present for any FusionAuth application you've configured it for.

If you are not, you are responsible for starting off the sign in/sign up process on your own and then calling the 'complete login' API as documented here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login

Which approach are you taking?

@dan yes seems it is still not working ... Thank you

No. Our cloud is a fully managed system, so you shouldn't care about the underlying technology.

It isn't built with Kubernetes so when we launch a deployment in it, it's constructed using a different approach.

If you want to run FusionAuth with kubernetes, that is supported, but you must self-host. More details here: https://fusionauth.io/docs/v1/tech/installation-guide/kubernetes/

@pyroseza

So it sounds like you're trying to figure out a way to know when FusionAuth has completed startup.

The webhook is one way to do that. As you said, you can set up a kickstart event webhook within a kickstart file.

Another way is to poll for a known value, such as a non-default tenant that you know your setup has added. That may be a simpler solution for you.

Either way, you'll have to write some code to kick off the testing once you receive a signal that FusionAuth is ready.

I personally would have preferred if there was an API endpoint I could query is to whether or not the kickstart has completed successfully, but instead we were given a webhook and I'm not quite sure how I should be using it.

You'll need to write a webhook receiver that will kick off your tests (or whatever the next step of your testing setup is). I'm not quite sure how do that in one github action, but it should be pretty easy to split up a github action into two actions, a setup one (where you set everything up, including FusionAuth) and a test action (which you kick off in response to the FusionAuth webhook firing).

I think you'd want the workflow_call event: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_call