RE: Upgrade from Version 1.26 to 1.36.4 introduced error with response_type=id_token token

@fred-fred

@fred-fred said in Upgrade from Version 1.26 to 1.36.4 introduced error with response_type=id_token token:

jwt.dealer_number

Hi Fred,

Thanks for your detailed question. To confirm, your application is using OpenId Connect for third party logins and a lambda to reconcile the id_token for the users permissions? Since changing your return type from 'id_token token' to 'id_token' you are no longer getting a 502 from the service provider but the lambda is no longer reconciling?

Just want to confirm that your application settings for JWT:
Access Token signing key -> HS256
Id Token signing key -> OpenID Connect compiant HMAC using SHA-256 (HS256)

You mentioned the response type was originally set to response_type=id_token token for the oauth2/authorize endpoint. What grant type are you using?

The id_token has only been accessible since version 1.31.0 for OpenID Connect Reconcile lambda. Additionally, the id_token is signed by an asymetric key-pair, it will not be availble to the Lambda. Are you able to print the contents of the id_token inside your lambda or any other meaningful errors?

For more meaningful logs with your AKS, I suggest you look into Log Analytics workspace.
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

Please let us know if you are able to get more meaningful logs from the above.

Are you able to log the properties that are breaking your code such as jwt.dealer_number?

Looking through the release notes, if you are trying to use Graal JS, be aware that ECMA 6 features you can't be used. Nashorn only supports ECMA 5.1.

Please see the release notes for more details and search GraalJS. Please remove any ES6 features and let us know if you are able to reconcile the lambda.

Please see the release notes for more details:

https://fusionauth.io/docs/v1/tech/release-notes

Finally, I would review the console section for lambdas to make sure you are able to access the debug method - please ensure you have enabled debugging in the admin dashboard under Customizations > Lambdas > Your lambda > Debug enabled.

https://fusionauth.io/docs/v1/tech/lambdas/#console

If the above does not resolve your issue, please open a ticket here:

https://github.com/FusionAuth/fusionauth-issues

Thank you,

Johnathon Wood

FusionAuth

@johnathon

Also, if you are using Graal, using let and const will not be supported until version 1.37.0.

https://github.com/FusionAuth/fusionauth-issues/issues/179

@dan

Rollbacks are now supported for FusionAuth Cloud customers with Business and High Availability deployments with backups.

Please see the FusionAuth Cloud documentation for more information: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#rolling-back-from-a-problematic-upgrade

@dan

Rollbacks are now supported for FusionAuth Cloud customers with Business and High Availability deployments with backups.

Please see the FusionAuth Cloud documentation for more information: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#rolling-back-from-a-problematic-upgrade

Hi @llorach-pablo,

Sorry to hear you are running into this issue.

What version of FusionAuth you are running and how are you running it? (Docker, AWS, local machine, etc)

It sounds like you would like to have your application configured to require registration to be redirected to the authorized redirect configured for the Authorization Code Grant, as described here, is that correct? https://fusionauth.io/community/forum/topic/1171/where-to-find-the-option-require-registration/2

You mentioned that '...if he is not registered he will be logged in..' You would like users who are not registered to be logged in, is that correct? It is possible to allow unregistered users to log in to your application, as well as block unregistered users from being logged in. Which behavior are you looking for?

Is this the open Github issue you were referencing?: https://github.com/FusionAuth/fusionauth-issues/issues/439

I am running the latest version of FusionAut 1.42.1. I created an application using the Authorization Code Grant and created a user without being registered for my application. I then toggled the Require Registration toggle under Application > OAuth > Require Registration. When I attempted to log in to the application, I was given the error "Your account has not been registered for this application.".

What happens when you try to log into your application with a user that is not registered? Is this the same behavior you are looking for? Are you using the hosted login pages or the Login API?

Hopefully, this helps us get you closer to the functionality you need for your application.

Thank you,

Johnathon

@stacey

To confirm, you are trying to hit this endpoint to retrieve a public key, correct?

In order to get this endpoint to publish/return your public key, you will need to either import or generate a key pair. I would review whether you are importing an existing key pair or generating a new one here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master#importing-vs-generating

Have you done this step yet? If not, once the pair is imported/generated correctly, this endpoint should return your public key.

If it's still returning an error, please let us know.

As for the @JSONResponse error, we should be handling that and you should be getting this response when hitting the same endpoint with the applicationId.

{}

I opened a bug here if you would like to track it. https://github.com/FusionAuth/fusionauth-issues/issues/1918

source: https://fusionauth.io/community/forum/topic/404/i-imported-a-public-key-and-am-not-seeing-the-kid-in-the-jwks-endpoint

Thanks and happy coding,

Johnathon

@johnathon

One approach would be to append the parameter idp_hint to the login URL to redirect a user to the appropriate IdP login page. Please read the hints section in our documentation for more information.

Another way to disable the password and email login for a user would be to set their password to a random 25-character string. This would make the password essentially impossible to brute force and thus impossible for them to log in via the hosted login page.

I would like to disable logins that require an email and password and only have SSO/IdPs available.

Basically, a "Disable Password Login" button? How can I achieve this?

@johnathon

These are the steps FusionAuth takes to check whether a password contains special characters:

1. Convert the Java String to a char[] (a char is a 16-bit unicode value in Java)
2. Check each character c to determine whether it is a special character using
   !Character.isAlphabetic(c) && !Character.isDigit(c)
3. If any character in the string returns true for the above check, we consider it to contain a special character

What is the exact rule you have in place for the password validation rule of special characters / non-alphanumeric characters?

@johnathon

Also, if you are using Graal, using let and const will not be supported until version 1.37.0.

https://github.com/FusionAuth/fusionauth-issues/issues/179

@fred-fred

@fred-fred said in Upgrade from Version 1.26 to 1.36.4 introduced error with response_type=id_token token:

jwt.dealer_number

Hi Fred,

Thanks for your detailed question. To confirm, your application is using OpenId Connect for third party logins and a lambda to reconcile the id_token for the users permissions? Since changing your return type from 'id_token token' to 'id_token' you are no longer getting a 502 from the service provider but the lambda is no longer reconciling?

Just want to confirm that your application settings for JWT:
Access Token signing key -> HS256
Id Token signing key -> OpenID Connect compiant HMAC using SHA-256 (HS256)

You mentioned the response type was originally set to response_type=id_token token for the oauth2/authorize endpoint. What grant type are you using?

The id_token has only been accessible since version 1.31.0 for OpenID Connect Reconcile lambda. Additionally, the id_token is signed by an asymetric key-pair, it will not be availble to the Lambda. Are you able to print the contents of the id_token inside your lambda or any other meaningful errors?

For more meaningful logs with your AKS, I suggest you look into Log Analytics workspace.
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

Please let us know if you are able to get more meaningful logs from the above.

Are you able to log the properties that are breaking your code such as jwt.dealer_number?

Looking through the release notes, if you are trying to use Graal JS, be aware that ECMA 6 features you can't be used. Nashorn only supports ECMA 5.1.

Please see the release notes for more details and search GraalJS. Please remove any ES6 features and let us know if you are able to reconcile the lambda.

Please see the release notes for more details:

https://fusionauth.io/docs/v1/tech/release-notes

Finally, I would review the console section for lambdas to make sure you are able to access the debug method - please ensure you have enabled debugging in the admin dashboard under Customizations > Lambdas > Your lambda > Debug enabled.

https://fusionauth.io/docs/v1/tech/lambdas/#console

If the above does not resolve your issue, please open a ticket here:

https://github.com/FusionAuth/fusionauth-issues

Thank you,

Johnathon Wood

FusionAuth

Hi @andrey-dzhezhora,

From our conversation outside the forum:

1. You are attempting to enforce email verification, i.e. gate users for OAuth password workflow.
2. Your users were able to get a JWT despite not verifying their email address
3. You are using your own hosted oauth/authorize page
4. You have a paid version of Fusion Auth with version > 1.27.0 - which is required to use gate user accounts.

Problem:

You attempted to log a user in for OAuth2 using a password grant type and expected the user to be gated.

If you are providing your own login page, you would need to inspect the JWT returned by FusionAuth in-order to determine if a user has been email verified.

Solution:

The easier option would be to use our hosted login pages and the authorization code grant. Once verified, FusionAuth will release an access token after a user successfully logs in. If the user hasn't been email verified, FusionAuth will not return a JWT and will 'gate' the user - which redirects to a page where a user will enter a verification code sent to their registered email address.

Disclaimer:

If you use the password grant, you would be building your own login page. Therefore, you would have to build the functionality in your integration code to check whether a user has been verified.