Master branch:
Problem:
The master branch has lost the login page and other related pages (still present on the design branch), and FusionAuth built-in login is not useable in a MultiTenant configuration because there is no default method to map email addresses to tenants. In fact, in FusionAuth, the multitenant is designed for separate applications with potentially different user bases, where the same emails are treated as distinct users. In this case, there is no single sign on between distinct tenants, because the users are distinct by definition of a tenant. The built-in login screen only works when the Tenant is specified, which could be the case if knowing the application was enough to know the tenant.
Steps to reproduce:
$ curl -c - -X POST "https://auth.natixar.pro/api/login" -H "Content-Type: application/json" -H "Authorization: GXEHQY9507eAO0U724n-dQ7Ku1SSaEQzNAjJ4tNvZwmBtMTGCtSXX-7c" -d '{
"loginId": "[email protected]",
"password": "password",
"noJWT": false,
}'|jq
{
"fieldErrors": {},
"generalErrors": [
{
"code": "[TenantIdRequired]",
"message": "A Tenant Id is required to complete this request. To complete this request, you may assign a Tenant to your API key, or add the X-FusionAuth-TenantId HTTP request header with the Tenant Id."
}
]
}
The Authorization is a key valid for all tenants. At the same time, it is not specific to a particular tenant. This curl command shows how to login a user, when the credentials have been collected in a react form, in the application UI.
When the tenant is specified as a header, authentication works fine:
$ curl -c - -X POST "https://auth.natixar.pro/api/login" -H "X-FusionAuth-TenantId: d5a5b255-c0b9-eab1-e918-25ce27ee92be" -H "Content-Type: application/json" -H "Authorization: GXEHQY9507eAO0U724n-dQ7Ku1SSaEQzNAjJ4tNvZwmBtMTGCtSXX-7c" -d '{
"loginId": "[email protected]",
"password": "password",
"noJWT": false
}'|jq
set-cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjVjYjRhNjMzYSJ9.eyJleHAiOjE3MTM3MTkwNjcsImlhdCI6MTcxMzcxNTQ2NywiaXNzIjoiaHR0cHM6Ly9hdXRoLm5hdGl4YXIucHJvIiwic3ViIjoiYTc4NTQwNWEtMjk3Mi00NmJlLWEzZjktYmMzOGZhOWQxNjlmIiwianRpIjoiM2MwYjI3OWEtNzk1Ni00ZGMyLTgyNzgtOTZlNGI5MzgwMTRlIiwiYXV0aGVudGljYXRpb25UeXBlIjoiUEFTU1dPUkQiLCJlbWFpbCI6InJpY2hhcmRAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzEzNzE1NDY3LCJ0aWQiOiJkNWE1YjI1NS1jMGI5LWVhYjEtZTkxOC0yNWNlMjdlZTkyYmUifQ.VjZuoyvj6aT2jEFGxB0FhhO8fthEQbVyxocVYyhFAEc; HttpOnly; Path=/; SameSite=Lax; Secure
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjVjYjRhNjMzYSJ9.eyJleHAiOjE3MTM3MTkxOTQsImlhdCI6MTcxMzcxNTU5NCwiaXNzIjoiaHR0cHM6Ly9hdXRoLm5hdGl4YXIucHJvIiwic3ViIjoiYTc4NTQwNWEtMjk3Mi00NmJlLWEzZjktYmMzOGZhOWQxNjlmIiwianRpIjoiZWM0M2YwMDctYzUzNi00ZTlhLTk1NjAtMDA0YWY3ZmQyYjQ5IiwiYXV0aGVudGljYXRpb25UeXBlIjoiUEFTU1dPUkQiLCJlbWFpbCI6InJpY2hhcmRAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXV0aF90aW1lIjoxNzEzNzE1NTk0LCJ0aWQiOiJkNWE1YjI1NS1jMGI5LWVhYjEtZTkxOC0yNWNlMjdlZTkyYmUifQ.QKieOAwYBebq37S0ndczyoOPZ56lqidHFLH2Bwtzc90",
"tokenExpirationInstant": 1713719194148,
"user": {
"active": true,
"birthDate": "1985-11-23",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"data": {},
"email": "[email protected]",
"firstName": "Richard",
"id": "a785405a-2972-46be-a3f9-bc38fa9d169f",
"insertInstant": 1708506066516,
"lastLoginInstant": 1713715594148,
"lastName": "Hendricks",
"lastUpdateInstant": 1708506066516,
"memberships": [
{
"data": {},
"groupId": "955df980-71c3-4034-8ac5-e6ab5e3e0473",
"id": "48cf28c0-e41a-40d8-a364-1334baa8ed20",
"insertInstant": 1711287287892
},
{
"data": {},
"groupId": "c9d8aa29-10fa-4ee0-99c7-3222b6f17b41",
"id": "fa4668f8-62a5-4f08-aad7-05fbb199b4b9",
"insertInstant": 1711289462332
}
],
"passwordChangeRequired": false,
"passwordLastUpdateInstant": 1708506066550,
"preferredLanguages": [],
"registrations": [
{
"applicationId": "844588d0-9937-4edf-bc5e-88011bb483eb",
"data": {},
"id": "aec927e2-92dd-4638-b671-7de39fb8ecee",
"insertInstant": 1708513720307,
"lastLoginInstant": 1708539507768,
"lastUpdateInstant": 1708513758536,
"preferredLanguages": [],
"roles": [],
"tokens": {},
"username": "[email protected]",
"usernameStatus": "ACTIVE",
"verified": true,
"verifiedInstant": 1708513720307
},
{
"applicationId": "5e9cba0b-4978-4a24-88c0-0a45b0ed067f",
"data": {},
"id": "387abf78-9272-4987-9fbc-abc9cc71d772",
"insertInstant": 1712231522819,
"lastLoginInstant": 1713436782845,
"lastUpdateInstant": 1712231522819,
"preferredLanguages": [
"fr_FR"
],
"roles": [
"Access LCIA pages",
"Access billings page",
"Access carbon tracking pages",
"Access process editor",
"Create user",
"Decrease number of seats",
"Delete user",
"Disable 2FA for user",
"Generate carbon tracking report",
"Increase number of seats",
"Pay online",
"Purchase a package",
"Purchase optional feature",
"Remove a package",
"Reset user password"
],
"tokens": {},
"username": "Richard Hendricks",
"usernameStatus": "ACTIVE",
"verified": true,
"verifiedInstant": 1712231522819
}
],
"tenantId": "d5a5b255-c0b9-eab1-e918-25ce27ee92be",
"twoFactor": {
"methods": [],
"recoveryCodes": []
},
"usernameStatus": "ACTIVE",
"verified": true,
"verifiedInstant": 1708506066516
}
}
The keys are cryptographic and cannot be chosen, but application UUID are free.
The Http_Only cookies is for the back-end, and the JWT access token returned in the response body is for the front-end. They are identical. The payload of the JWT is basic in this example:
{
"exp": 1713719067,
"iat": 1713715467,
"iss": "https://auth.natixar.pro",
"sub": "a785405a-2972-46be-a3f9-bc38fa9d169f",
"jti": "3c0b279a-7956-4dc2-8278-96e4b938014e",
"authenticationType": "PASSWORD",
"email": "[email protected]",
"email_verified": true,
"auth_time": 1713715467,
"tid": "d5a5b255-c0b9-eab1-e918-25ce27ee92be"
}
Solution:
Instead of relying on the built-in windows of FusionAuth to perform the login, it is required to use the OAuth2 flow documented here:
https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/
In the work flow, the user clicks on "Climate Change Dashboard" indicating that they wish to connect to the Climate Change Dashboard of their company.
Once the user email has been collected, the react code in the login window shall derive an application UUID from the selected application and the domain part of the email address. Some crypto hash will do the job, but it has to be standardized and documented, because the client create API in the backend must use the same algorithm to set the UUIDs of applications.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.