RE: Authentication for an Application with Web Client and Mobile front-ends

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Hey FusionAuth Community!

Just a heads up -- we have made a few revisions to this post!

If you are interested in using VueJS and FusionAuth -- check it out!

https://fusionauth.io/blog/2020/08/06/securely-implement-oauth-vuejs

Hi bogorad,

The functionality that you are looking for is located in the themes section of the FusionAuth application. Specifically, you will want to review all OAuth pages (OAuth authorize and possibly others) to adjust the template to your user requirements. FusionAuth uses FreeMarker for templating.

Additionally, below is a link to our documentation regarding themes (as well as a very useful video on how to mimic a custom Stack Overflow login page, for instance)
https://fusionauth.io/docs/v1/tech/themes/

Hopefully, that sets you on the right path! Enjoy FusionAuth!

Thanks,
Josh

My Database (sql, rds, postgres) is filling up. Any pointers on how to address this?

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

Is there an option to make JWT token smaller in a size?

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Both the API and the UI can pull User Data.

---

Via API

Docs are here:

• https://fusionauth.io/docs/v1/tech/apis/users/#search-for-users
• https://fusionauth.io/docs/v1/tech/apis/users/#elasticsearch-search-engine

---

Via UI

The functionality is nested under the user tab on the upper left nav.

• From there click on the advanced button.
• From there you can enter your query in the search bar.
• Note: If you want to see how the query is constructed, there is also a toggle - Show Elasticsearch Query
• https://fusionauth.io/docs/v1/tech/core-concepts/users/#user-search can guide you through a simple user query.

How do I query a bunch of Users and their associated data? Is it better to use the API or the UI?

@joseantonio

Perfect! I would think that setting up HA might be a solution for you, but if your application does not require high availability, then it may be a misuse of financials (but don't let me talk you out of it - it is a powerful offering!). I am assuming that the custom URL/domain (ie - from deployment.fusionauth.io -> login.mydomain.com) is the functionality you seek from HA?

Regarding Cloudflare, I have used it for personal hosting projects but have not yet written my own cookies using it. My assumption would be that you would want to design your own cookie based on the cloudflare domain and use that to coordinate SSO in your applications across domains.

Let me know your thoughts and I can see if I have any other suggestions for you.

Thanks,
Josh

Hi Sebastian,

I did discuss this further with the Development Team. The documentation is in the process of updating, but managed domains are not required in regards to reconciling an external JWT.

In other words, if you want to integrate your Azure AD JWT token with FusionAuth, the JWT can be issued by different domains and still integrate just fine through the API.

Some reading that might be useful:

• https://fusionauth.io/docs/v1/tech/apis/jwt/#reconcile-a-jwt
• https://fusionauth.io/docs/v1/tech/identity-providers/external-jwt/example/
• https://fusionauth.io/docs/v1/tech/identity-providers/external-jwt/

I hope this helps!

Thanks,
Josh

@orrett,

Also, there is a policy for deleting registrations that are not verified. See application > registration

If you have this enabled, it may be the source of your troubles as well.

Thanks,
Josh

Hi @orrett !

Thanks for the question!

Hmmm, this is a tricky one to diagnose without more information. Are you getting any errors or flags that are showing up in your logs? Is your ElasticSearch node/cluster healthy? Are your database and FusionAuth-app sized appropriately?

The red herring may be in the cyclical nature of the failures; tracking that down might be the hard part. But we can give it a shot!

Thanks,
Josh

Hi Sebastian,

I am not very familiar with how Azure issues a JWT bearer token, but I will try and offer you some insights.

I am assuming you are referencing the documentation here?
https://fusionauth.io/docs/v1/tech/identity-providers/external-jwt/#managed-domains

The closest I can currently think of your use case is SSO, but cross domains may give you headaches.
https://fusionauth.io/blog/2021/02/09/single-sign-on-sso-with-fusionauth

Another option could be to write a custom cookie and use a proxy server to orchestrate across different domains, but the implementation can get a bit tricky.

I will let you know if I can see any other potential paths for you.

Thanks,
Josh

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh