I have encountered this error and managed to work out the following steps to get things working

FWIW I think this issue is the same as https://fusionauth.io/community/forum/topic/1098/registration-question-sendsetpassword-flow/7

I get the above error using the default Setup Password template which contains link with template http://localhost:9011/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}

If I add redirect_uri=http://localhost:3000 then I end up being redirected to http://localhost:3000?error=invalid_request&error_reason=missing_response_type&error_description=The+request+is+missing+a+required+parameter:+response_type without ever setting a password.

Once I add response_type=code I now get to be able to set the password.

It looks like the /password/change endpoint actually jumps into the OIDC/OAuth flow after the password is set and my redirect URL gets a code (which I assume can be exchanged for a token), however as I am using ASP.NET 5 & the OpenIdConnect extensions the state parameter contains encrypted data that must be supplied so I have found it best to ignore the code and simply trigger the OIDC challenge which causes a redirect back to FusionAuth (with required state) which immediately redirects back to my API (as there is an open SSO session) and my login is complete.

It would be good if there was some documentation about the /password/change endpoint.

(I would also be open to suggestions about how I can cleanup the redirect magic I need to do to get this all working with ASP.NET but I realise that is probably out of scope of this question!)

And we've added this info to the Events/Webhooks documentation as well: https://fusionauth.io/docs/v1/tech/events-webhooks/events/

@michael-schramm can I reach you somewhere for a short discussion? Am also thinking about going for CockroachDB and have a couple questions. 😅

Hmmm.

The FusionAuth basic tier is not intended for any type of load testing. So that probably explains poor results.

The reason for this is that the service (with this tier) is running on a single AWS EC2 instance that is running FusionAuth, Elasticsearch and a PostgreSQL database. This means the node is very resource constrained, and attempting to run load tests on this type of system is not recommended. The numbers you get from this type of test will not be valuable to you in context of planning your production deployment.

If you do want to perform load testing, I would recommend you run FusionAuth on-premise using a more realistic production configuration, or upgrade to the High Availability hosting tier. You can spin up an HA instance, perform your load testing, and then tear it down. You'll only be charged for the time the HA instance is up and running.

If you cannot achieve your target request per second with a standard HA setup, you can upgrade from Medium, to Large, or even to X-Large if you need to obtain additional requests per second.

You also may be interested in this load testing guidance: https://fusionauth.io/docs/v1/tech/installation-guide/monitor/#load-testing

And this (dated) forum post: https://fusionauth.io/community/forum/topic/8/what-level-of-performance-can-we-expect-with-using-fusionauth-as-an-idp

@pleymor

Were you able to get this addressed or do you still need assistance?

Thanks
Josh

@alex

I was out of the office last week, but am looking at this now.

I would say that you would be best served by checking the event logs. The logs that you have displayed here are from the main application and may not show as much debug information as the events logs do (when the debug toggle is enabled in the specific IdP and/or lambda).

Regarding your other questions, I was able to make an advanced registration form with both an email and username input. Since Google does not return a username, FusionAuth will send you to a complete registration page and ask for a username. The unique username policy set on the tenant will ensure no username collisions.

Then my_user_name becomes appended by the unique user name constraint set on the tenant
b8d46e80-596d-4e32-8252-65a7a75c2ab3-image.png

re:

The user can merge accounts (including all application-specific data) by requesting a merge. The requested-of account would receive an e-mail notification asking permission to merge, which would be valid for a short/customizable period of time.

We don't have this functionality exactly but have an approximation. On this user, notice the linked accounts tab. You can remove externally linked accounts here as an admin. Additionally, if you set create a pending link, as your linking strategy (instead of link on email), you can have your user login with google and associate that google UUID to an existing FusionAuth user (or create a new user).

I am not sure if this fully addresses what you are asking. My encouragement would be to review the documentation that we just released around linking IdP accounts, linking strategies, etc.
https://fusionauth.io/docs/v1/tech/identity-providers/

Here for any further clarification needed 🙂

Thanks,
Josh

dac8d112-09f0-41b0-9fa5-9d47bbf40c0a-image.png

Thanks,
Josh
FusionAuth

Thanks for reporting this. The workaround is to remove the configuration from the SAML provider. I also tested it out and when SAML is enabled and you try to duplicate the app, you are presented with an error message.

I filed an issue about this: https://github.com/FusionAuth/fusionauth-issues/issues/1366

fusionauth.timezone is used to guess the user’s current timezone so we can adjust dates and times in the UI (admin).

fusionauth.remember-device records your answer to ’remember this computer` checkbox on the login page (so you won't be prompted for MFA on this device again).

@joshua That actually helps very much, thanks!

If you are running Advanced Threat Detection, you need at least 2GB of memory for each FusionAuth node.

Here's the system requirements: https://fusionauth.io/docs/v1/tech/installation-guide/system-requirements/ which document the 2GB requirement when using this feature.

Disable the application configuration for this webhook. That is not doing what you think - it is a legacy configuration that causes some confusion.

https://fusionauth.io/docs/v1/tech/events-webhooks/#form-fields-5

have you seen this https://github.com/jerryhopper/fusionauth-app-multiarch ?
it's from community member @hopper-jerry and may meet your needs.

@jlinton,

As a related note, you can elect to remove the JWT when calling the login API specifically.

https://fusionauth.io/docs/v1/tech/tutorials/json-web-tokens/#skipping-jwt-creation

Thanks,
Josh

Please check that you configured an SMTP server in the default Tenant (and for every other tenant, for that matter).

It defaults to localhost and port 25, and if you don't have an SMTP server running there, any functionality sending emails, like forgot password, won't work.

To work around this, you can set the password for any user using an API key and the User API: https://fusionauth.io/docs/v1/tech/apis/users/#update-a-user

Yes. That’s how it currently works.

We have on the roadmap a more flexible identity system but don't have a current timeline for implementation. Here's the tracking issue: https://github.com/FusionAuth/fusionauth-issues/issues/1

you can add to the database_url: ?ssl=true&sslmode=require (pick the mode you actually require)

if your server supports tls1.3+ you should force 1.2 on the client:
FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS="-Djdk.tls.client.protocols=TLSv1.2"
(https://fusionauth.io/community/forum/topic/938/secure-db-connection-with-tls-1-3/4?_=1629097757303)

Hi there,

I was just double-checking this, and the algorithm dropdown doesn't need to be manually set since it automatically changes to the value of the algorithm in the header.

But while testing this I actually got it to verify; not sure what was different each time since I could have sworn I tried both the public key and the certificate with and without the PEM headers (looks like the PEM headers are definitely necessary), but maybe I was using the wrong key or something.

Anyway thanks for looking into this!

@jlinton

This feature will be released as a webhook very shortly as part of 1.30 so keep your eyes peeled when we announce this!

Related webhooks coming in this release

user.password.reset.send user.password.reset.start user.password.reset.success user.password.update

Thanks
Josh

@jitendrasahu17996

I might need some more context, but what you are asking for sounds feasible.

I would start by looking at SSO to achieve multiple-application login.

https://fusionauth.io/docs/v1/tech/guides/single-sign-on/ https://fusionauth.io/blog/2021/02/09/single-sign-on-sso-with-fusionauth/

Thanks,
Josh