Works perfectly now. TY!

On reading through your linked document, FusionAuth doesn't support this natively. There's no 'sso' endpoint which does what the docs say must be done (checking the signature, creating the new payload, etc...).

You have a couple of options:

file a feature request: https://github.com/fusionauth/fusionauth-issues/issues explaining what you'd like to have done use OIDC for discourse (which should work with FusionAuth out of the box): https://meta.discourse.org/t/openid-connect-authentication-plugin/103632 set up a small proxy server which would receive the SSO request from discourse, present a login screen, and call the FusionAuth Login API to authenticate the user

I'd probably recommend the OIDC route unless there's some reason why it wouldn't work for you.

Solved. The error code coming back is [duplicate]user.email. I just need to ignore that!

Yup, you got it!

And also HMAC keys will never be displayed in the public-key list. Since they are symmetric, displaying them in that list would let anyone viewing them sign JWTs indistinguishable from those signed by FusionAuth.

Should I be working with the email template or is that for something else?

I'd look at email templates and tweaking those, yes. https://fusionauth.io/docs/v1/tech/email-templates/email-templates/ has some docs about this.

Is a client_id and a user_id (returned from registration) the same thing?

Nope. client_id represents an application in FusionAuth. user_id represents a user.

Hope that helps, glad you're getting close!

Sure, you want to use the patch identity provider method: https://github.com/FusionAuth/fusionauth-java-client/blob/master/src/main/java/io/fusionauth/client/FusionAuthClient.java#L1575

You'll want to update the application configuration section: https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Be aware that there is an open issue regarding this: https://github.com/FusionAuth/fusionauth-issues/issues/767 If this affects you, please upvote it so that it moves up in our priority list.

This also may be worth reading: https://fusionauth.io/community/forum/topic/510/update-identity-provider

Ok, I've created a feature request.

Hi @richb201 ,

Are you asking what the security implications are for not using passwords at all?

That's hard to give general guidance on, as that depends on how good users are at keeping their email accounts safe.

In general it's going to be pretty good because people tend to care more about their email accounts and pay more attention to them than some random account they signed up for 6 months ago and haven't checked since.

Also in favor of this is the fact that the passwordless codes are time limited (configurable in the tenant).

But, as I'm sure you can understand, I can't do a thorough security analysis because I don't know the full details of your scenario.

Nope, this is the recommended solution.

If you think there's a valid use case for having this be supported natively (without the webhook), please file an issue with a feature request, including as many details as you can: https://github.com/fusionauth/fusionauth-issues/issues

Ah, I see how that could be confusing. Sorry about that. Glad you got it sorted out and it works!

We just did some testing and it appears that JFrog Artifactory can now use FusionAuth as a SAML ID Provider.

Thanks again for the quick work on this issue.

Tom M

'Tis I indeed! Continuing my signature moves of knowing juuuuuust enough to be dangerous to myself and others LOL. I'm checking the settings now, thanks to you and Dan for the support!

@cody-braddock you'll also want to ensure this event is enabled for your Tenant. See Tenants > Edit > Webhooks in the FusionAuth UI.

solved. I needed to type DELETE.

But if I put these in the application, won't this be a security problem?

If you put them in a javascript app, yes. But if they are in the php application only, then it'll be like a database password. Not really a security issue.

You could also inject them as an environment variable or pull from a secrets manager; however you manage your database credentials, I'd suggest doing the same with the client id/secret.

Awesome, glad to hear it! Thanks for letting me know.

Users are shared across tenants, so if you have one person logged in and they visit a different Fusionauth application url, they'll be automatically logged in again (without the need to auth again). I'm not sure that's what you want.

If you register a user to app A and then to app B, they'll be registered in both apps.

If you register a user to app A and then to app A again, I think you'd get an error message, but would have to try that out to be sure.

If you want to try this yourself, you could try richb201+1@gmail and richb201+2@gmail (anything after the + is treated as the same email address by gmail, but different email addresses by fusionauth).