Hi, another day, another problem 
Suddenly the login stopped working for some reason (no dependencies changed and I believe no settings for FusionAuth too)
Using Vue SDK this login redirect URL is generated:
http://localhost:9011/app/login?client_id=e9d1e58d-d076-439a-b92d-a0e5f76cceef&redirect_uri=http%3A%2F%2Flocalhost%3A3010%2Fauth%2Fcallback&scope=offline_access+openid+email&state=redirect_to%253Dtrue
The browser redirects to this address then redirect back to http://localhost:3010/auth/callback with this query string:
{ error: 'invalid_request', error_description: 'The request is missing a required parameter: code', error_reason: 'missing_code', state: 'redirect_to%3D%2F' }
Everything seemed to work fine up until now and I cannot find any related issue.
Application do have PKCE set as not required as on the screenshot:
This is an event from the event log:
Unable to complete app login. The auth code exchange has failed.
Application Id: e9d1e58d-d076-439a-b92d-a0e5f76cceef
Status code [400]
Error response is
{
"error" : "invalid_request",
"error_description" : "The request is missing a required parameter: code",
"error_reason" : "missing_code"
}
Changing the enabled grants from Authorization code to Password changes the error query to:
{ error: 'unauthorized_client',
error_description:
'The [authorization_code] Authorization Code grant has been disabled for this client.',
error_reason: 'grant_type_disabled',
state: 'redirect_to%3D%2F' }
but I guess since Authorization code was working previously and password grant is "legacy", I should use former.
Edit: From what I see the problem starts to appear right after I update Terraform provider from 0.1.105 to 0.1.106. When I change to 0.1.105 to it starts to work properly.
According to the docs here:
https://fusionauth.io/docs/quickstarts/quickstart-php-laravel-api#provisioning-new-users
the access token received from the FusionAuth should contain email field. But it does not. After logging in the app.at token looks like this:
Is this the correct behavior ? I mean, the e-mail is there in the app.idt along with other data:
Wouldn't it be better to change app_at to app_idt here to actually parse and verify ID Token instead of access token ?
Hi,
When using the hosted Passwordless login pages, is it possible to prepopulate the email address from something passed via the state parameter?
The only reason I want to do this is because I want to check if a user exists in an old system before attempting the sign in.
What is the recommended way of performing account recovery when using passwordless login only?
Regards
Alan
I have two same enabled applications defined on fusionauth each representing a separate web application hosted on my local. I have also created two applications on an azure ad tenant and connect my fusion auth applications to them via two saml v2 identity provider I have created on fusionauth. I have created one user on AzureAD tenant and only added that user to one of the applications.
I can launch the web application which the azure ad user has access to and log into the application using it. Now when I try the other web application on the same browser what happens is it logs into the application without even going to a login page. What I am expecting is the second application to be rejected to log in as the azure ad user does not have access to it.
What do I need to acheive the desired behaviour?
Hi Fusionauth team,
I could not find the information on what special role allows "admins" to see the login record administration page ?
Thank you for your answer.
Hi,
I am running FusionAuth inside a Docker container on Ubuntu. My application is Angular running on the same machine. I have MailDev running in a Docker container and configured correctly in FusionAuth.
I have set up passwordless login using the endpoints
api/passwordless/start
api/passwordless/send
api/passwordless/login
as per the documentation.
I have two issues that I am struggling to resolve/understand:
-
When I call the send endpoint, MailDev does not receive the email. If I do the same thing using Postman, it does. There is nothing in the Event log.
-
All three endpoints work because if I enter the code on my front-end UI, I get a valid response with token, user etc. I have looked through the documentation but I'm not quite sure what I'm supposed to do with this response - what do I need and where should I store it?
Any help appreciated.
Alan
Hi all,
I am currently performing passwordless login flow by calling the API endpoints directly from my front-end application.
I have read that it is possible to use an API Gateway such as Kong etc to perform the OAuth exchange with FusionAuth. I am currently looking to use KrakenD for this purpose but I am looking for guidance on this should be implemented.
Regards
Alan
Hello, I have a starter license and this month I got the first invoice. Unfortunately, the form of the invoice is not sufficient for my company (based in Germany), as the full address of both Fusionauth and our company must appear on it. Unfortunately, I could not find any contact details for such a question, as the Starter subscription does not include any real support. Has anyone ever had this problem or can anyone else help me to address this problem correctly? Thanks! Alex
Hello,
When submitting text value, e.g. "my phone", to 'user.mobilePhone' to /api/user/registration, we receive E.164 error, which is expected.
But, I can perfectly create users with following values '123text', 123z'
And, mobilePhone values like '12z', 12zzzz', yield expected error message - Invalid number
What are exact formatting rules for user Mobile phone [user.mobilePhone] field? Is this a bug, or FA allows some other phone formats which are not described in the documentation? (https://fusionauth.io/docs/apis/users)
username, and email uniqueness.
We wanna let users to register with unique usernames, and email addresses. I know that we can store the email/username in the user.data field, which is not required to be unique. And we know that we cannot specify username and email at the same time. Look at this error message you'll get when you try to specify both:
{
statusCode: 400,
exception: {
fieldErrors: {
'user.email': [
{
code: '[blank]user.email',
message: 'You must specify either the [user.email] or [user.username] property. If you are emailing the user you must specify the [user.email].'
}
],
'user.username': [
{
code: '[blank]user.username',
message: 'You must specify either the [user.email] or [user.username] property. If you are emailing the user you must specify the [user.email].'
}
]
},
generalErrors: []
}
}
I was trying to update a user with following code:
await fusionAuthClient.updateUser(id, {
user: {
lastName: updateUserInfoDto.lastName,
firstName: updateUserInfoDto.firstName,
uniqueUsername: updateUserInfoDto.username,
},
});
So here is a similar Q&A: https://fusionauth.io/community/forum/post/3055
Qustion
I am trying to emphasis that just by saving username in user.data we will be able to have both username and email but applying rules such as uniqueness would require more manual work. Cannot we just tell FusionAuth to make sure that user.data.username should be unique in that application or tenant?
I really do not like to check it manually in my backend considering how costly and inefficient it would be;
- Send an HTTP req to FusionAuth API to fetch all the users.
- Loop over them to verify
user.data.usernameis not equal to the one that is entered by the user. - Update user.
Or at least that's how I though about its implementation.