Yes, you can search for users who are set to

"active" : false

just like any other user

The user can be retrieved but will have a status of {"user" : { "active" : false } }
The user cannot be updated but will instead have this error return

{ "fieldErrors": { "userId": [ { "code": "[inactive]userId", "message": "The User with Id [00000000-0000-0000-0000-000000000007] is inactive and cannot be updated until it is reactivated." } ] } }

Yes, this is the functional equivalent in the UI.

Soft delete is the preferred method.

Hi @ivona, thank you for writing in!

Can you let me know of any output in the error event log for both OAuth and apple config? This may help to troubleshoot this issue.

In the meantime, please feel free to take a look at some of our similar, Apple-related posts on our forum. Here are a couple of posts that may prove useful:

https://fusionauth.io/community/forum/topic/752/not-able-to-login-with-apple-id/6
https://fusionauth.io/community/forum/topic/752/not-able-to-login-with-apple-id

In the meantime I will dig further into this issue on my end and see if I can reproduce it.

Talk soon,

Akira

@elliotdickison said in Awkward OAuth logout in mobile app:

@maciej-wisniowski We ended up going with your solution and it's working alright, thanks for that!

@robotdan One suggestion for you all: I found the naming of the "AllApplications" value for the application.oauthConfiguration.logoutBehavior setting a bit confusing. As far as I can tell all the "AllApplications" value it really means is "show the OAuth2 logout page". That page can be used to log out of all apps (that's the default template behavior), but it doesn't have to be used that way. Per the suggestion from @maciej-wisniowski we are using the page to log the user out of only one app and show a "successfully logged out" message. Maybe to avoid a breaking API change the value "OneApplication" could be added in addition to "AllApplications" and "RedirectOnly". That value could use the same OAuth 2 logout template but maybe set a variable that could be used to conditionally turn off the logout-of-all-apps behavior. Just a thought.

Thanks for the suggestion @elliotdickison - please do open a GH issue with this suggestion and how you'd like the logout to behave in your use case.

Nope, at this time it is all configured at the tenant, via the UI or API.

If you have specific needs, please file a github issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

@saleenajohn49 said in Clicked the regenerate key button on the reactor page:

A nuclear reactor produces and controls the release of energy from splitting the atoms of certain elements. In a nuclear power reactor, the energy released is used as heat to make steam to generate electricity. (In a research reactor the main purpose is to utilise the actual neutrons produced in the core. In most naval reactors, steam drives a turbine directly for propulsion.

Ha ha.. yep, that is pretty much how the FusionAuth Reactor works too. 😆

I think you missed to put FusionAuth Tenant ID.

In my case, I create a file called appConfig.json :

e89f0007-0a18-41d8-b184-5e820eafa09e-image.png

The file contains :

FusionAuth URL (where you deploy your FusionAuth app such as https://login.mywebsite.com) FusionAuth Tenant ID FusionAuth App ID FusionAuth Client Key

Afterwards, I create a new instance of FusionAuth like this (in another file):

d60fe095-14be-4a7e-85fb-44b49a68c462-image.png

I pass FusionAuth Tenant ID here as a parameter.

Hence, I can fire a login function like below :
a4eed8ff-1441-4f15-9a93-9123603c36c7-image.png

@aman

Glad, you got it working!

Remember that CORS is a powerful tool. It's best to keep it enabled, once you nail down your configuration.

Thanks,
Josh

The timeout is already really high (10 seconds). I can see in the logs of my webhook that I get a timeout in the api call to FusionAuth. It feels like a race condition.

Hi @jeff-lawry,

I might need some more context to better assist. Can you confirm:

What are you trying to accomplish? How/Who are you integrating with? What errors are you seeing (if any)? "SP that has required setting for IdP Cert" -> can you elaborate a bit on this and offer more context? Are you looking to set up FusionAuth as a SAML SP or a SAML IdP? Based on your question, it sounds like the latter, but want to confirm. "Also SP is looking for PrototypeName sent by FusionAuth" can you provide a bit more context here. I am not familiar with this property. Which configuration screens are you interacting with (if any) within FusionAuth Admin UI that you have questions about? Have you consulted any documentation from FusionAuth? If so, which pages? (so that I can better assist...).

Please let us know some additional details and we will do our best to assist.

Thanks,
Josh

@pmolaro

I think I understand now.

If you imported a few users, they should be given the option via UI to have the verification email sent to them again (if you are using the OAuth flows/hosted pages)

If you are not using the OAuth flows in Fusionauth (this seems to be true, based on what you said), then I think that you would need to offer the user the ability to now verify through this API
https://fusionauth.io/docs/v1/tech/apis/users/#resend-verification-email, which will return a verificationId

Also, there is a tutorial for email verification (the gating part is a paid feature) and we are developing one (very similar) for application registrations as well (the gating part is a paid feature).
https://fusionauth.io/docs/v1/tech/tutorials/gate-accounts-until-verified/

Let me know if that more gets at your question.

Thanks,
Josh

The team wrote a tutorial outlining how to rotate keys, including signing keys: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation/

Hiya.

You can see the elasticsearch query if you expand advanced in the UI.

Because of the way that we tokenize the search string, it is likely that a query like user@example.com will match more than just the user with the email address you are entering.

If you want to match only the email address in the UI, the easiest way to do it is to preface the query with email:. So email:user@example.com.

Hope that helps.

I have encountered this error and managed to work out the following steps to get things working

FWIW I think this issue is the same as https://fusionauth.io/community/forum/topic/1098/registration-question-sendsetpassword-flow/7

I get the above error using the default Setup Password template which contains link with template http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}

If I add redirect_uri=http://localhost:3000 then I end up being redirected to http://localhost:3000?error=invalid_request&error_reason=missing_response_type&error_description=The+request+is+missing+a+required+parameter:+response_type without ever setting a password.

Once I add response_type=code I now get to be able to set the password.

It looks like the /password/change endpoint actually jumps into the OIDC/OAuth flow after the password is set and my redirect URL gets a code (which I assume can be exchanged for a token), however as I am using ASP.NET 5 & the OpenIdConnect extensions the state parameter contains encrypted data that must be supplied so I have found it best to ignore the code and simply trigger the OIDC challenge which causes a redirect back to FusionAuth (with required state) which immediately redirects back to my API (as there is an open SSO session) and my login is complete.

It would be good if there was some documentation about the /password/change endpoint.

(I would also be open to suggestions about how I can cleanup the redirect magic I need to do to get this all working with ASP.NET but I realise that is probably out of scope of this question!)

And we've added this info to the Events/Webhooks documentation as well: https://fusionauth.io/docs/v1/tech/events-webhooks/events/

@michael-schramm can I reach you somewhere for a short discussion? Am also thinking about going for CockroachDB and have a couple questions. 😅