@tony-blank yes please help me.

Wonderful blog post. I found it very helpful and informative. Solar

Any news?

@egg said in Maximum lifetime of refresh token not honored? (sliding window configuration):

I am configuring my Tenant with a refresh token expiration policy of "sliding window with maximum lifetime". I have configured the maximum lifetime to 240 minutes, but the refresh token is actually expiring after 30 minutes.

The "sliding window with maximum lifetime" policy should allow the refresh token to remain valid as long as it's used within the configured lifetime, which in your case is set to 240 minutes.

@zaalbarxx sorry for the delay. I might be missing it (sorry not a PHP person) but I don't see where that confusion comes into play. I know that some of our docs had to get updated because of a change that we made during our 1.50 release that required to request further details in our scopes request.

This release makes significant changes to the default behavior of new Applications with regard to scopes in OAuth workflows. The database migration will update existing Applications to behave in a backwards compatible manner. See the OAuth Scopes documentation for more information, in particular the Relationship, Unknown scope policy, and Scope handling policy configurations.

https://fusionauth.io/docs/release-notes/#version-1-50-0

Let me know if that still isn't making sense, or if there is a spot you were hung up on and I would be happy to update our docs. Or even better feel free to add a PR.

@mark-robustelli Hi, Mark. This is a great idea I didn't even think of. Thank you very much. It is a workaround anyway, but maybe it will allow me to complete PoC and wait for the proper invite flow to be implemented in FA.

Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth! 🙂

A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

PS: Long live OAuth!

@alan-rutter When it comes to account recovery in a passwordless login system, the most recommended method is to use a self-service approach. This means allowing users to recover their accounts themselves, which not only saves administrative costs but also saves the user's time. The simplest form of account recovery, and the one most amenable to automation, is a “forgot password” flow. This should be part of any Customer Identity and Access Management (CIAM) system.

In the context of passwordless authentication, this could involve sending a one-time code or a magic link to the user's registered email or phone number. The user can then use this code or link to authenticate themselves and regain access to their account. This method is secure and user-friendly, as it does not require the user to remember any passwords.

For more information, you can refer to these articles on account recovery and passwordless authentication.

@david-gonzalez I created a new user test@test.com and added the FusionAuth Registration. I granted it the Report Viewer role and was able to log in and see recent logins on the Dashboard. (I assume that is what you are talking about.) I got curious and removed the Report Viewer role and added the Event log viewer role. That allowed the test user to see the Dashboard as well. Will one of those two roles work for you?

@prince-b What scopes are you requesting?