@maciej-wisniowski That was done when we found that there was a bug in

#FROM fusionauth/fusionauth-app:1.19.4

and we replaced it with:

FROM fusionauth/fusionauth-app:1.19.7

Thanks @richb201 , appreciate the UI suggestions! I'll take a look as we definitely don't want folks to be confused/frustrated by the user interface.

Cheers,
Dan

Fair enough.

While I'm always interested in learning more about how FusionAuth fits into system architectures, we don't document many proxy configurations, as they tend to be pretty scenario specific. There are also a lot of different proxies out there, often with good documentation!

But sure, anything you figure out we'd love to have you add to the fusionauth-contrib project as a PR to share with the community.

Thanks!

Regarding the SPA and proper authentication flow, there are some more things to consider. First, if your SPA is served from the domain that is different from your backend's domain (eg. using Vercel to host SPA frontend) then you'll have issues with cookies between different domains. Another thing is security, specifically CSRF. You'll possibly have to implement some CSRF tokens to handle this. There is a lot of information regarding these topics on the Internet but still it doesn't seem to be very easy to implement. The first link I've found on the topic: https://ideneal.medium.com/securing-authentication-in-a-spa-using-jwt-token-the-coolest-way-ab883bc372b6.
Would be great if FusionAuth docs can also describe these issues (different domains, CSRF).

Because of that it is worth considering if some other flow isn't better - AuthorizationCode + PKCE that doesn't touch the backend at all (no cookies, no CSRF issues, but you have to be careful with XSS). I've implemented a proof of concept React application that uses https://github.com/IdentityModel/oidc-client-js and slightly modified react-oidc (that is a react wrapper to oidce-client-js), and it seems to work nicely with FA for me.

Hmmm.

What is defaultIfNull? I'm not familiar with that function.

Can you save other information to the user.data field (like a test string) in the reconcile lambda and have it read in the populate jwt lambda?

What does logging defaultIfNull(samlResponse, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups', 'groups') reveal?

Glad you solved it!

@dan I am using caprover as PaaS, and it has NGINX fully integrated. It's only happening on their latest version. I already raised an issue with them (https://github.com/caprover/caprover/issues/1035).

I tried to reconfigure their proxy manually but couldn't get it to work. I just rolled it back to their earlier version.

@trevorr said in Is it possible to create a user without a password?:

Would changing this be a reasonable feature request?

Sure, seems reasonable to me.

I'm not quite sure of the ramifications because the identity providers are assigned at the application level and users are a tenant scoped entity, but I suppose you could just say that any user marked with a 'nolocalpassword' attribute would not be able to ever log in locally. They'd always have to be authenticated by a third party system. I haven't thought through all the ramifications but think this would be a fine feature request. Please file away : https://github.com/fusionauth/fusionauth-issues/issues

Note that the random password example in that other thread might fail sporadically because there's no guarantee that a base-64 string will contain a "special character".

Maybe I misunderstand you here, but that's a matter of the password rules and the random string generation, correct? You could set up random long strings and make sure they included non alphanumeric characters. Should be a library for that (here's one for java). Or you could relax your password rules to allow for only alphanumeric characters (this may or not make sense, depending on what kind of users you have logging into the tenant).

@richb201 I haven't done this myself, but I think that @hopper-jerry has written something up. Might be worth reading:

https://blog.jerryhopper.com/2020/05/23/fusionauth-wordpress/

I am not sure that uses passwordless, but if you are using the OIDC plugin and the hosted login pages, wordpress shouldn't care about the credentials (whether it is a username/password or passwordless link).

@maciej-wisniowski said in Using custom parameters with login page:

[@helpers.hidden name="custom_parameter" /]

I did not know you could do that. Thanks for sharing your solution!

Here's how I set up FusionAuth as a SAML IdP (idp.fusionauth.io) and added a 'Login with SAML' button on a FusionAuth instance (local.fusionauth.io). Both servers are running 1.24.0. I do have multiple tenants in both local and demo, but both applications are in the default tenant. (Setting up these servers locally is possible, but beyond the scope of this post.)

Created a RSA 256 keypair on idp.fusionauth.io in key master (saml test) Created a RSA public key and imported the saml test public key into key master on local.fusionauth.io Add POST as an allowed CORS method in the local.fusionauth.io settings, with an allowed origin of https://idp.fusionauth.io. Created an application (samlsp) in local.fusionauth.io. Added a oauth redirect url to the application. Created an application (samlidp) in idp.fusionauth.io. Added a oauth redirect url to the application. Configured samlidp application with the following values: enabled SAML on the SAML tab set the issuer to https://example.com added an authorized redirect url: https://local.fusionauth.io/samlv2/acs set the response signing key to 'saml test'. All other response fields are default. Configured a SAML identity provider on local.fusionauth.io name: idpfusionauth IdP endpoint: https://idp.fusionauth.io/samlv2/login/a743e2cd-55bb-789c-b076-8846fdd3a51f ( pulled from the applications details screen of the samlidp application) use nameid for email: true verification key: use the certificate of the aforementioned saml test public key (not the public key!) use post method: false sign request: false applications: samlsp enabled and registration enabled Updated the issuer on the samlidp application SAML screen. Set the issuer to https://local.fusionauth.io/samlv2/sp/dfd114b9-7b57-446d-8f60-ec6689f47da4. This value is pulled from the local.fusionauth.io SAMLv2 Identity Provider details. Note that you may need to trim this value, as when you copy it there may be spaces in front or behind, and if you don't remove them, you'll see a The AuthnRequest contained an invalid issuer message.

By following these steps, when you open up an incognito window and go to the login page of the samlsp application, you will see a 'login with saml' button, and then you can login with that.

@dan said in Systemd service template:

https://fusionauth.io/direct-download/

To Add to what @dan mentioned, you can install .deb or .rpm packages using the fast path install method. It will default to zip file installation.

For additional ways to call it - see the Fast Path install guide.
https://fusionauth.io/docs/v1/tech/installation-guide/fast-path/

Here's an example of a rails migration which modifies application configuration:

require 'fusionauth/fusionauth_client' class ModifyApplicationToUseForm < ActiveRecord::Migration[6.1] def up client = FusionAuth::FusionAuthClient.new(ENV['FA_API_KEY'], Rails.configuration.x.oauth.idp_url) request = { "application": { "registrationConfiguration": { "enabled": true, "type": "basic" } } } res = client.patch_application(Rails.configuration.x.oauth.client_id, request) if res.status != 200 raise "did not succeed." end end def down client = FusionAuth::FusionAuthClient.new(ENV['FA_API_KEY'], Rails.configuration.x.oauth.idp_url) request = { "application": { "registrationConfiguration": { "enabled": false } } } res = client.patch_application(Rails.configuration.x.oauth.client_id, request) if res.status != 200 raise "did not succeed." end end end

Worth noting that I pull the API key from the environment and the location of the FusionAuth instance and the application id from a config file. Often you'll need to do a lookup if you are modifying other entities.

You'd run this via the normal migration process: rails db:migrate to roll forward and rails db:rollback to rollback.

You can also run more than one operation in a single migration, but there's no transaction surrounding these changes, so if you are making three changes and step number 2 fails, you'll have to back out step number manually.

Yes, they are equivalent. Building this JSON:

{ "search": { "queryString": "fusionauth.io" } }

and posting it is equivalent to a GET with queryString=fusionauth.io.

@venkata-dorisala I split this since it seemed like it was worth a new topic.

What can you tell me about the nodes you are running (in terms of CPU and memory)? Do the restarts happen on any kind of pattern? Are there things that happen to stress the system at the time of the restarts? What version of FusionAuth are you on? What troubleshooting steps have you taken? What have you found?

I've definitely seen folks whose FusionAuth installs were restarting because the docker image was memory starved (see this post for example).

To be totally honest, this is probably an issue best addressed by the engineering team, but you'll need to purchase a support contract for them to be able to dig in.

Hiya, @milan-agatonovic ! Welcome to the FusionAuth community.

Here's a forum post about shopify integration: https://fusionauth.io/community/forum/topic/791/shopify-integration

The short answer is it should be possible, but unfortunately we don't have step by step instructions on how to do this. Hopefully the above forum post will give you some starting points.

Please feel free to post back with specific questions or progress. It's definitely something I'm interested in following along with.

Sure, store the access token in a secure cookie.

We don't have any examples of that with Angular, but here's a diagram of the flow: https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

You'll still have to have some kind of backend because server side code is required to exchange the authorization code for the access token, as above. But you can then have the JWT be stored as a cookie and sent to APIs without further interaction with the backend server.

The alternative is to use the implicit grant, documented here: https://fusionauth.io/docs/v1/tech/oauth/overview#example-implicit-grant

But we strongly advise against that since it exposes your access tokens to XSS attacks.

We have a license FAQ.

If course, if your questions aren't answered there, please feel free to send us an email.

Looking at https://github.com/FusionAuth/fusionauth-java-client/blob/master/src/main/java/io/fusionauth/client/FusionAuthClient.java#L3256

It appears there is no way to search using the Java client that uses a GET, only a POST. However, you can still provide the queryString in the JSON and it will be equivalent to the GET request.

Building this JSON:

{ "search": { "queryString": "fusionauth.io" } }

Is equivalent to queryString=fusionauth.io.

Hope that helps.

Try clicking on the Advanced section on the User Search page and see you find what you're looking for.

Or search like this tenantId:9d92ca33-bc7b-4d13-acd7-f7dc06038396 where 9d92ca33-bc7b-4d13-acd7-f7dc06038396 is your tenantId.

Please note that this is an example for the elastic search search engine. With the database search engine, you can only search for the fields as documented in the API. As of this post, those are:

firstName lastName fullName email username