@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?

@mark-robustelli

Hello, sorry for away from this topic for a week due to my other ad hoc job,

I've already solved this topic, it's not about setting on Fusionauth or google credential.

but it's because I used google's client id on Fusionauth callback and
after you told me to set applicationId in my Fusionauth admin then I used ApplicationId on google oauth's callback.

that's why it kept return me client id is invalid.

it was right under my nose, but I couldn't see it.

Thank you for reply me, that's very helpful, It would take more time if you didn't help me.

@john-spellman I'm glad you have access to the instance. If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.

If you don't have a paid plan and still want the private support, please check out theEssentials Plan. You will get private email support with that.

Other than that, I would recommend posting the issues here and removing any sensitive info.

Also, based on your request, be very careful of anyone reaching out to help privately. I like to believe the world is a good place, but there are bad actors out there looking to take advantage of people in your situation.

@john-spellman, Can you let us a bit more about how you created the key? Which option did you choose to import? Which certificate type did you use? You could try different types.

Anything you can tell us about which Identity Provider you created and what the architecture looks like will help. Is FusionAuth the IdP/SP or both?

Also, If you can share the settings of you SAML tab for the application (without sharing secrets), that may give us some insight to the issue as well, if you are using FusionAuth as an IdP.

I don't have a ton of experience with importing certificates, so if anyone out there knows better, please feel free to chime in.

I have set up a key for a SAML provider before and using an RSA/RS256 type key. I generated that key with FusionAuth, but I don't see any reason you couldn't import the key you need.

You may want to check out this blog to test a simple SAML configuration if your situation reflects the setup.

By using a proxy or gateway that supports mutual TLS, you can use it with FusionAuth.

For example, AWS ALB supports Mutual TLS verify where the ALB does client certificate verification. Nginx has similar functionality.

If you are running FusionAuth 'bare' and terminating TLS directly at the FusionAuth server, mutual TLS is not supported.

Hiya,

There are currently no plans to support the full mTLS spec. We are discussing DPoP (tracking issue) internally.

However, depending on your needs, there may be a workaround.

Since the client credentials grant depends on Entities, you can leverage this to inject a client certificate hash into an access token obtained through the client credentials grant.

How this works at a high level:

Client Certificate Registration
During onboarding, your customer (e.g., a bank) registers their client certificate. A hashed value of that certificate is securely stored in FusionAuth (entity.data). The hashing process is outlined in the RFC. Client Credentials Request
When the bank requests an access token using the Client Credentials grant, a FusionAuth Lambda is invoked before the JWT is signed. Augment Custom Claims
The Lambda code looks up the stored certificate hash and injects it as a claim in the JWT. For maximum compatibility with RFC 8705, it is recommended to add this hash to the cnf object in the JWT, like so: "cnf":{ "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } Accessing the Resource Server or API
The customer presents both the access token and presents their client certificate when calling your API. Validation Flow
Your API: verifies the JWT signature computes a hash of the presented client certificate compares it to the x5t#S256 claim in the token Decision Logic
If the hashes match, the request is bound to the correct client and access is granted to the protected resource.

@kiouplidis, can you please give us a little more detail on how you are set up and exactly what you are trying to do. I see you are getting a NetworkError when trying to reach (auth.*.com). Is that an instance of FusionAuth hosted by FusionAuth or is that an instance of FusionAuth that you have deployed? How are you trying to access the resource? Through a web browser or are you trying to execute an API call? The more information you can provide, the easier it will be to help.

If you have a paid plan which includes technical support, please open a ticket via your account portal.

@arnel-terblanche Can you tell us a little more about your setup? Is this a first time install? Was it working before? Is this a docker image you are trying to run? Please provide more details.