Group Details Private

Power User

Helpful folks who know a lot about FusionAuth

  • RE: Connector service docs say it needs only user.id, but fails it not given email too

    @fusionauth-qhj5e

    Hmmm. Which docs were you looking at?

    https://fusionauth.io/docs/lifecycle/migrate-users/connectors/ says:

    If you are migrating a user, you must provide the following fields in the user object you return.

    user.username or user.email
    user.id: a FusionAuth compatible UUID
    

    and

    If you are authenticating a user, you must provide the following fields in the user object you return.

    user.username or user.email
    user.id: a FusionAuth compatible UUID
    

    If there's another place in the docs that state that email/username is not required, would love to correct it.

    posted in Q&A
  • RE: Assign a user role when a user logs in using Google

    This is possible today using a Google Reconcile Lambda. Our Lambdas allow arbitrary JavaScript to be executed during a login event. You can write logic to check the user's domain and assign them the appropriate role associated with the FusionAuth Application they're authenticating through.

    Below is a code example demonstrating how you could implement such logic:

    function reconcile(user, registration, idToken) {
      
      function extractDomain(email) {
        // Split the email address by '@' symbol
        var parts = email.split('@');
        // Return the second part which represents the domain name
        return parts[1];
    }
    // function to extract the email domain from the user object and stores in domain variable
    var domain = extractDomain(user.email);
    
    
      // Conditional statement checks domain for fusionauth.io and adds 'counsellor' role, if any other domain exist adds 'user' role
    if (domain === 'example.com') {
      registration.roles.push('teacher');
    } else {
      registration.roles.push('user');
    }
    //This is optional, but is good to have for debugging purposes. The results will be returned in the event logs.
     console.info(registration.roles);
    
    }
    
    
    posted in Q&A
  • Assign a user role when a user logs in using Google

    Hey, I am just curious if it's possible for us to assign user role if we choose to do login using Google as identity provider (we directly call Google for sign in, then link the user to FusionAuth, as per this guide).

    To elaborate more, let's say we want user to be assigned to the user role upon sign in. But if the user email is under the domain @example.com, we want to assign them as teacher role. Would it be possible?

    posted in Q&A
  • RE: Simple session management service

    The best solution here would be to use entity management.

    You can create an entity type of Session or similar.

    Each time you have a user log in, you can create a Session and set the .data.session_identifier field to the value of the device fingerprint + business specific indicator, and store the access token as the value.

    When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.

    For expiration, you can use the access tokens exp claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the .data field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).

    Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)

    posted in Q&A
  • Simple session management service

    Hi folks,

    We want to have a simple session management service for a client that has no local storage mechanisms (so we can't use something like cookies).

    How it will work is that we'll:

    • present a login form using the Login API
    • the user will log in
    • we'll generate an access token
    • we need to store it somewhere <-- this is where we need help
      • The key will be a value from the client (device fingerprinting plus another business specific indicator)
      • the value will be the access token

    Later, we need some way to get that access token, based on the key.

    We want to store as much as we can in FusionAuth, but realize there may be a thin proxy in front of it to handle API keys for access to various FusionAuth APIs.

    posted in Q&A
  • RE: Proxy Configuration Warning

    @jawaid-karim Hmmm. Those all look good.

    So you are still seeing an error in the admin screen when you log in?

    posted in Q&A
  • RE: IIS Reverse Proxy not showing FusionAuth Page correctly

    @jawaid-karim Are you setting all the headers mentioned here? https://fusionauth.io/docs/operate/deploy/proxy-setup

    posted in Q&A
  • RE: Mysql on ubuntu

    @truearrowsoftware Weird.

    We won't fix that bug because we don't support mysql 5.7 any more (per https://fusionauth.io/docs/get-started/download-and-install/system-requirements#database ).

    When you try to connect to mysql8, do you see any log messages in the startup screen or under /usr/local/fusionauth that seem relevant to share?

    posted in General Discussion
  • RE: Password that never expires?

    If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.

    posted in Q&A
  • RE: Password that never expires?

    @olivier-rochon Correct.

    posted in Q&A