@twilkinson

Thanks for using FusionAuth!

Did you get this sorted out?

Dan

@mattcrox

Thanks for using FusionAuth!

1.32.1 is pretty old version (released in Dec 2021). Do you run into the same issue with more recent versions?

@rafal-glebocki
I'm working through the same issue. I've setup an Application Gateway but it doesn't appear to be working. Would you share your configuration?

@vinhdat82

You can definitely use FusionAuth as an OpenID Connect provider. The callback is https://your.fusionauth.server/oauth2/callback

We only support front channel logout.

Can you share more details about the application you are trying to use FusionAuth for? What is the framework, etc?

That might help me direct you to some better documentation.

@heitordanilo2003

Welcome to the FusionAuth community!

It isn't possible to create new tables inside FusionAuth. However, you have a few options within the current supported extension points.

You can correlate between two different databases, as you currently are. You can use the user.data and user.registration.data fields. These are arbitrary JSON objects and you can define your own schema inside them. They are searchable. You can use Entity Management. Entity Management lets you define your own entities (which also have data fields) and relationships between users and entities. This is paid functionality that requires a license key.

Hope that helps.
Dan

@jvadaliya FusionAuth enforces MFA for users at the tenant or application level, but not the specific user.

You can file a feature request here: https://github.com/fusionauth/fusionauth-issues/issues

You can also make an API call in your application after the user has logged in to force MFA for only certain users; this is called step up auth: https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#step-up-auth

Hope this helps.

@dan
I faced similar kind of issue last time, I am still searching for some proper solution.

@joey-zhang

I'm not sure what you mean? Can you please explain further?

@ryan-2 Hmmm.

I searched our GH issues list: https://github.com/fusionauth/fusionauth-issues/issues and didn't see that as an issue. I also reviewed our import API doc and didn't see it either.

Can you please share more details, including the version of FusionAuth you were using and repro steps? That would be be helpful in characterizing this issue in more detail.

@dan figured out a workaround based of the auth0 documentation.

I have added a new route in our API gateway as the callback url in fusionauth. This is the RelayState (or redirect_uri with the acs) that we are providing for our IdP providers.

The route for example is now:

/signin-saml-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

Which we just issue a ChallengeAsync which then redirects back to fusionauth and then redirects back to signin-oidc with the code and state parameter.

await this.HttpContext.ChallengeAsync()

Obviously this isn't ideal & add's another redirect in the flow, but it works as the user is authenticated in FusionAuth & our gateway is triggered the challenge (so generating the state)

FusionAuth Version: 1.44.0

@hazelmarissa1 Since you are using cleanspeak, I'd suggest filing a support ticket if you are having issues.

Log into your Cleanspeak account from here: https://account.cleanspeak.com/ and you should have options to file a ticket.

This forum is for FusionAuth users, so you probably won't get much help here. 🙂

Nope.

FusionAuth pays for an organization and the FusionAuth dockerhub images will remain freely available.

We have started to document API gateway integrations with FusionAuth here: https://fusionauth.io/docs/v1/tech/developer-guide/api-gateways/

@javi

Here is the answer I got on SO: https://stackoverflow.com/questions/75665818/how-can-i-expose-fusionauth-on-ubuntu-apache-to-connect-from-browser/75667048#75667048

Question closed!

@m-arlynrasavong Hmmm. Can you share more details?

@dan

Yes, this answers my question, thank you!

There are a couple of things to check:

make sure that you've updated the issuer at the tenant screen: https://fusionauth.io/docs/v1/tech/core-concepts/tenants#general make sure you are using an asymmetric keypair to sign the id token. If you are using HMAC, which is the default for FusionAuth, you have to share a secret. Asymmetric algorithms like RSA256 are what proxies typically need (so they don't have to have the signing secret). More here: https://fusionauth.io/docs/v1/tech/core-concepts/applications#jwt and here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master

Hope that helps.

@damien said in How to get from a JWT payload to registration.data?:

Each of the applications that I intend to create registrations for already have their own identifiers. I suspect this is very common.

After authenticating my user, and confirming that they have an active registration to use the target application, I then need to know their corresponding "application account ID".

For example, if my application is "bank account", I need to know which "account number" is owned by user@example.com

From the docs, my understanding is that the expected/recommended way to handle this is to store the account number in registration.data like:

{ "account number": 12345 }

And maybe I also declare that they're a primary account owner via roles.

I saw in the docs that a JWT includes roles within its payload, so I can easily find out that my user@example.com is a primary account owner of my "bank account" application - but what is the recommended way to discover that they own "account number 12345" ?

Do I literally need to resort to the registration API?

Yes, if you need to retrieve the specific "account number" associated with a user's registration for your application, you would need to use the registration API to fetch the registration data that includes the account number. You could then parse the JSON data to extract the account number.
It is recommended to store the account number in the registration.data field, as you mentioned in your question. This way, when you fetch the registration data using the registration API, you can easily access the account number associated with that registration.
Alternatively, you could consider including the account number as a claim in the JWT payload when the user logs in, along with their roles. This would eliminate the need to fetch the registration data separately. However, you should be careful about including sensitive information in the JWT payload, as it could potentially be intercepted or tampered with. It is generally recommended to keep the JWT payload as lightweight as possible and only include the necessary information for authorization purposes.

Facing same issue but no response from anyone and could not find this topic troubleshooting in google.

It is written in Java. More here: https://fusionauth.io/docs/v1/tech/installation-guide/system-requirements#java