RE: MFA OIDC Page refresh

We also noticed that even with silent renewal, MFA code is getting triggered. This is very annoying for our users who stay on the page for long time.

Is there a way prevent MFA for SPA on every token refresh?

@dan We have the exact problem.

MFA prompt is ruining the SSO experience.

Can you please share which cookie is supposed to handle the MFA trust.

Hi

We have a react application using OIDC for authentication. We enabled MFA for the application.

Whenever user refreshes page, user is forced to enter MFA one more time.

Is it expected behavior?

On searching, I found on github https://github.com/FusionAuth/fusionauth-issues/issues/1704

Can you please let us know if there is any workaround to avoid getting MFA page within same session.

@dan

These webhooks are often ingested into a SIEM

This is one use case. Agreed.

There might be some applications where UI has to update based on user actions related to MFA on fusionauth pages.

We are using some work arounds for now. But, I think without these webhooks, MFA is incomplete feature.

Should not the web hooks for MFA be part of MFA feature?

@dan Do you have any plans to give preference in community support for starter plan users?

Some kind of badge to prioritise responding to starter plan users?

@alickabrook1
I was not setting origin URL in mobile app.

I was setting it in fusionauth config.

Shared screenshot in https://github.com/FusionAuth/fusionauth-issues/issues/1443

Hi

We have a feedback from security expert.

When we signup with an email on registration page, page behaves differently when the email already exists. This gives information to attacker to filter out which emails exist.

Is it possible to configure the UI to behave similarly irrespective of whether email already exists or not. But, no verification email goes out if the email already exists.

Hello,

It's been a while.

Is it something that can be planned in future?

Hi @joshua

I can confirm fusionauth is using deprecated javascript library.

I wrote my analysis here https://github.com/FusionAuth/fusionauth-issues/issues/1939

Can you please release a patch for updating the code.

Thank you.

Yes, that's correct.

In android app, we are using oidc react-native library.
The screen gets stuck after clicking login button.
Expected : Open fusionauth login page in in-app browser
Actual:
There is an error message
[Error: Invalid origin uri android-app://com.example/]

I provided steps to reproduce in the github issue : https://github.com/FusionAuth/fusionauth-issues/issues/1443

Authorised redirect URL config has no issues.

I added "https://example.com" as authorise origin url for security. Then I noticed traffic from android app is getting blocked with

"android-app://com.example" is not authorised origin

@joshua

Done

https://github.com/FusionAuth/fusionauth-issues/issues/1443

Use case:

1. A working react application using OIDC Auth flow

2. JWT contains some custom claims created using JWT populate lambda

3. Server updates some user attributes in fusionauth using API

React application has to wait the token expiry period to have these new user attributes in JWT

Is there a mechanism in fusionauth to force update the JWT from client to re-run populate lambda function and issue a new token.

Hi

I am trying to add android-app://com.example
as
Authorized request origin URL
in application's OAuth settings

It is rejecting the value with error URL must start with http

Is this a bug?

In
https://fusionauth.io/docs/v1/tech/apis/reports/ documents

The endpoints are with plural.
/api/report/daily-active-users should be /api/report/daily-active-user

I am talking about this page. This page is dead end.