I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users
dan
@dan
Head of Developer Relations at FusionAuth.
Enjoys ruby, java, php. Finds golang challenging.
Likes the authorization code grant, automation, stories and clear documentation.
Hiker, camper, gardener. Used to have chickens, now just tomatos.
Best posts made by dan
-
Is there a way to update user data in the UI?posted in Q&A
-
Can I configure the inactivity timeout of the FusionAuth Session cookie?posted in Q&A
I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?
-
Terraform provider for FusionAuth releasedposted in Release
There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth
It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest
-
RE: Block authentication until user is verified?posted in Q&A
Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?
Within a lambda, you have access to the user and registration properties. So you'd pull the
verifiedproperty from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.
Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.
- user registers
- JWT issued, with
verifiedset tofalsebecause the user isn't verified. - User verifies their email
- User visits API, but is denied because the JWT has stale data.
I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?
-
RE: My JWKS are always emptyposted in Q&A
Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:
returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format
If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.
-
RE: Implementing a Role-Based Access System for Authorizationposted in Q&A
Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.
Here's a response I get after logging in:
{ "token": "ey...", "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "email": "email@example.com", "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006", "insertInstant": 1592857899119, "lastLoginInstant": 1596819645662, "lastUpdateInstant": 0, "passwordChangeRequired": false, "passwordLastUpdateInstant": 1592857899145, "registrations": [ { "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355", "id": "73d2317b-d196-4315-aba2-3c205ed3ccae", "insertInstant": 1592857899151, "lastLoginInstant": 1592857899153, "lastUpdateInstant": 1596813810104, "roles": [ "Role1" ], "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4", "twoFactorDelivery": "None", "twoFactorEnabled": false, "usernameStatus": "ACTIVE", "verified": true } }So
user.applicationId.rolesis what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups -
RE: Trouble getting the user object post loginposted in Q&A
OK, we just released 1.18.8 and that is the version you want to use:
In
requirements.txt:fusionauth-client==1.18.8And then this is the call you want to make (with
client_idbeforeredirect_uri) :resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret) -
RE: Specifying password during user registration.posted in Q&A
Hiya,
First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:
My Frontend-->My Backend-->FusionAuth APIThere's no password returned from the registration API call.
If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)
The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.
Are there specific security concerns you have around your front end/back end systems that I might be missing?
Latest posts made by dan
-
RE: Is there a way to enable or disable captcha at application level?posted in General Discussion
@mark-robustelli I don't believe you can do this. I think @muditshukla3 was asking about CAPTCHA, not MFA.
-
RE: Making API calls against a user who is federating into FusionAuthposted in Q&A
The easiest thing to do is to store the value on the user.data object in the reconcile lambda, and then pull it off in the JWT populate lambda.
The JWT populate lambda will only be called if the authorization code grant is completed and an access token is generated, but you should be doing that in your application.
So what it looks like is:
- user visits your application
- user clicks 'login'
- user clicks 'login with OIDC'
- user authenticates
- user returned to FusionAuth
- reconcile lambda runs, setting values on user.data
- user object is created
- JWT populate lambda runs, pulling values from user.data and calling FusionAuth APIs to add user to a group or grant them permissions on an entity
- user object is updated, user exists in FusionAuth
-
Making API calls against a user who is federating into FusionAuthposted in Q&A
Suppose I have users who are going to federate into FusionAuth via another OIDC or SAML server. They are going to be created on demand. After they are created, I want to use Lambda HTTP Connect to call into FusionAuth to add them to a group, register them for an application or otherwise manipulate their account based on attributes from the remote identity store.
I tried to do that in the OIDC reconcile lambda, but the user isn't created yet, so I can't, for example, add them to a group or grant them permissions on an entity.
What is the best way to solve this?
-
RE: Using Fusion auth inside iframeposted in Q&A
For future readers, there's an open GH issue here to better support iframes: https://github.com/FusionAuth/fusionauth-issues/issues/2830
Please add your use cases, upvotes and comments there.
-
RE: Can you migrate passkey information between tenants?posted in Q&A
Yes. You can do this with the API:
curl -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn\?userId=00000000-0000-0000-0000-000000000001 > outThen remove the following:
- id
- insertInstant
- lastUsedInstant
- tenantId
update the userId
And use the import call:
curl -H 'X-FusionAuth-TenantId: newtenantid' -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn/import -H 'Content-type:application/json' -d '{...}' -
Can you migrate passkey information between tenants?posted in Q&A
I want to let a user log in to one tenant using passkeys.
Then, later, I want to move them to another tenant.
Can I migrate their passkey information as well?
-
RE: Can you turn off CAPTCHA for certain applications in a tenantposted in Q&A
Right now you cannot turn off CAPTCHA for certain applications to handle this use case.
There's an open GH issue to address this. Please upvote or share your use case on there if you have thoughts.
-
Can you turn off CAPTCHA for certain applications in a tenantposted in Q&A
I want to turn off CAPTCHA for a given mobile application to make sure the app review process doesn't get impacted, but I want to retain CAPTCHA for the other applications in that tenant.
-
RE: Can you use push notifications as a form of MFA with FusionAuth?posted in Q&A
As of writing, there is no direct support for push notifications as an MFA method in FusionAuth. If you would like such support, please open a feature request with more details about your use case.
However, you should be able to build something that sends a code via a push notification. Here's how to do that. (This requires a Starter, Essentials or Enterprise plan.)
This illustrates how to do this using the hosted login pages; if you use the APIs, it's a slightly different workflow, as outlined in the MFA guide.
- configure FusionAuth to require a phone number when the user registers
- set up your android or ios device to send back the device id when the app is installed
- tie the device id to the user's phone number in your backend system
- set up a generic messenger. The messenger will send a phone number and a message when an MFA challenge occurs.
- look up the device id from the phone number in your system
- use the appropriate service to send a push notification with the code
- have the user enter the code in the MFA challenge screen