Hiya,

It seems you are asking how to allow a user to use MFA at all times, except when they are changing their password. That would seem to me to be exactly the right time to require MFA, but maybe I'm missing something.

The 242 return code is documented here.

If you are determined to avoid TOTP when someone is changing their password, you could write your own password change page and turn off MFA for the user when you notice they are changing their password. Then, once they've succeeded, you could turn it on again.

Hope that helps.

It looks like the issue was our mail server. We are using Mailgun SMTP service for our mail sending and this offers a tracking feature.

This tracking feature adds a invisible image to the html code in order to get request for stats. If I deactivate this feature, the HTML_IMAGE_ONLY_12 error is gone and the mail are no longer marked as SPAM. We don't have any issues with our other applications because sent emails are bigger in text content.

I'm so glad you solved it!

@sswami said in After Chrome 80+ Cookie Set SameSite=None requires 'Secure' in Android WebView doesn't seem to complete Authorize:

I don't know, if what I am doing is best practice or was there something else I should have done, at least this is working for me as now.

In the blog post I mention, the app uses the react-native-app-auth library, that may be worth investigating as it provides the hooks into the native browser.

This may be worth investigating so you don't have to support your own solution, though of course I'm glad you have it working.

There is another issue, calling /api/logout?global=true&refreshToken={refresh_token} only signs out of the app, but doesn't signout from the FusionAuth completely, making it redirecting back to the App instead of the Login Screen?

You should remove your access tokens in your client when the logout button is pressed. The FusionAuth logout API only removes cookies. This post may be helpful: https://fusionauth.io/community/forum/topic/270/logout-questions

To answer your question, we are currently building a system that will allow you to upgrade your FusionAuth Cloud deployment anytime. This should be available soon and if you setup a FusionAuth Cloud account before then, we will upgrade it to this new system once it is ready.

In the meantime, if you ever need an upgrade on your deployment, all you need to do is open a support ticket and we’ll schedule that upgrade with you.

We aren’t planning on releasing a major version of FusionAuth for a while (this would be version 2.0). We do release a number of minor versions with new features and bug/security fixes each year though.

First, make sure you are using the elasticsearch search engine. You can't run this kind of query on the database search engine.

Then, you want to use a range query: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html

You want to build your query string. This is a query string that gives you all the users between the two insertInstants on the user object (inclusive):

{ "range": { "insertInstant": { "gte": 1592231314000, "lte": 1592231315735 } } }

Omit the gte key if you only want users before a certain time.

Next is to turn it into an API call against the user search API, which means escaping the query's json and turning it into a JSON object suitable for FusionAuth to parse:

curl -XPOST -H 'Content-type: application/json' -H "Authorization: $API_KEY" 'https://HOSTNAME/api/user/search?' -d ' { "search" : { "query" : "{\"range\" : { \"insertInstant\" : { \"gte\" : 1592231314000, \"lte\" : 1592231315735}} }"}}'

Finally, after testing to make sure you're getting the users back you want, you can run the bulk delete API, as documented here: https://fusionauth.io/docs/v1/tech/apis/users#bulk-delete-users

Tested with Elasticsearch 7.

Ah, yes, thanks for explaining.

Yes

You have two options

use the API to integrate with the current login/reg flow with FusionAuth. This lets you keep your existing html pretty much untouched, you're just calling out to FusionAuth instead of the database. remove them and use the FusionAuth provided pages with OIDC. This lets you use the theming and localization capabilities of FusionAuth, including super simple social signon.

It's your choice based on what your needs are, either way will work.

I'd only recommend using SAML if you have an application which only supports SAML, not OIDC.

You'll also want to make sure that when someone registers with one of your applications in FusionAuth, they register with all three. I'd probably use a webhook to ensure that.

Hmmmm.

... Detail: view verus_users depends on table old_identities ...

I'm not familiar with the verus_users view and am not sure why that would be in the FusionAuth database. As far as I can tell, that isn't a standard part of the FusionAuth data model.

Did someone at your organization perhaps create a view to get access to the FusionAuth data? If so, you'd need to remove that view manually to perform the upgrade, then recreate it later.

Hope that helps.

You can’t. You have to create another API key.

If you want to keep the same value, you could copy the value, delete it, and then recreate with the same value and set the tenant you want.

There isn’t a single table in the db really. Configuration exists there, and in tenants, applications, etc.

This link is probably what you are looking for:

https://fusionauth.io/docs/v1/tech/themes/#handling-failures

Hi @david-0 ,

I understand your frustration. We're thinking about ways to ameliorate this issue.

And you aren't alone. Here are a couple of open github issues:

https://github.com/FusionAuth/fusionauth-issues/issues/751 (kind of the reverse of what you're talking about, but related) https://github.com/FusionAuth/fusionauth-issues/issues/1 (the very first issue filed!)

Please feel free to upvote them, as that helps direct our development efforts. If these issues don't cover what you're looking to do, please do file a feature request with use case specifics.

Thanks,
Dan

Looks like this might be an issue you'd want to upvote: https://github.com/FusionAuth/fusionauth-issues/issues/439

You can send us your jar file and we'll assist you. Just open a support ticket from your account page.

Great. Marking this solved. Let me know if that's not ok 🙂 .

Ah, makes sense.

You should be able to export the email templates via the retrieve email template API and them re-import them using the same API. It may take a bit of fiddling, but it should be possible. In fact, you may want to capture the email templates as a kickstart file for future deployment/dev envt setup ease: https://fusionauth.io/docs/v1/tech/installation-guide/kickstart

I think we already have some issues about configuration migration, so you may want to check them out and vote for them if they convey what you'd like (please upvote them if so):

https://github.com/FusionAuth/fusionauth-issues/issues/576 https://github.com/FusionAuth/fusionauth-issues/issues/560

Hmmm. What version of FusionAuth are you running?

If you have set the refresh token usage policy to be OneTime in the tenant settings, then the old refresh token shouldn't give you access tokens after the first call.

Nope.

However, you can write some code to do this. You could write two scripts:

one to add a user, which should register them to all applications one to add an application, which should register all users

Further reading:

This post is probably worth a read, to clarify how FusionAuth handles users without an application registration: https://fusionauth.io/community/forum/topic/5/can-you-limit-a-user-s-login-authentication-access-to-applications-within-a-single-tenant/2?_=1597070984952

You also might be interested in voting up this issue: https://github.com/FusionAuth/fusionauth-issues/issues/772

You could also file a github issue explaining what you are trying to accomplish, perhaps there's a feature to be written to allow this.