@fred-fred said in Custom theme deployment between environments:

It looks like we can transport with the API using Theme Update Endpoints and sharing environment API keys so one environment can see the next environment to copy the themes over.

Yes, that's what I'd recommend. You could have different API keys for each environment and have the script that promotes the theme pull the API key from a secrets store. Make sure you limit the API key to the themes endpoint.

You also might be interested in this post: https://fusionauth.io/community/forum/topic/1306/parameterizing-themes which indicates how you can have the same theme files point to different resources in staging/prod/dev/etc.

@omryc3 Have you tested the authentication tokens and seeing if the password policy applies to them? I'm not sure myself, but it should be an easy test to run.

It is not possible to have different password rules apply to users in the same tenant, since they are tenant level policies and apply to every user within a tenant.

You could have the users that you want to have no password expiration use OIDC to login against a third party server. (And that server could be a different FusionAuth instance.)

@markus-wild

Hmmm. A few more details would be helpful. Are you using the basic self service registration form? And the mobilePhoneNumber field? Or is it some other field that you are using?

What is the exception you are seeing? Where does it show up? What does the end user see?

Also, what version of FusionAuth are you using?

Thanks!

@maciej-wisniowski Thanks for your help. I was able to connect but had some trouble from then on. I will create an issue on github and see if official support can be added.

Is there a recommended way of running fusion auth on a clustered database?

@fred-fred

Hiya,

In addition to what @maciej-wisniowski suggested, if you have a paid license you can now have application specific themes (one theme per application; if no application theme is specified, it defaults to the tenant).

You can see how that works in the sandbox environment (sandbox.fusionauth.io). I believe that feature landed in 1.27.0.

You can buy a licensed edition here.

@engineering-0 Try this:

users = [] for user in User.objects.all(): user_data = {} ... encryption_scheme = "salted-pbkdf2-hmac-sha256" algorithm, iterations, salt, password_hash = user.password.split('$') salt = base64.b64encode(salt.encode('utf-8')).decode('utf-8') user_data['password'] = password_hash user_data['encryptionScheme'] = encryption_scheme user_data['factor'] = int(iterations) user_data['salt'] = salt users.append(user_data)

@trashmi13

Hiya. You can validate this token using any JWT library, as Id Tokens are valid JSON Web Tokens.

I'm not sure what language you are using, but here's an example for java using the fusionauth-jwt library:

List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("https://www.googleapis.com/oauth2/v3/certs"); Map<String, Verifier> publicKeyVerifiers = new HashMap<String,Verifier>(); for (JSONWebKey key : keys) { String publicKey = key.x5c.get(0); Verifier verifier = RSAVerifier.newVerifier(publicKey); // assuming all keys are RSA. You could switch on type as well. String kid = key.kid; publicKeyVerifiers.put(kid, verifier); } // Verify and decode the encoded string JWT to a rich object JWT jwt2 = JWT.getDecoder().decode(encodedJWT, publicKeyVerifiers); // make sure the aud and issuer are as expected if (jwt2.audience.equals("gge44ab3-027f-47c5-bb07-8dd8ab37a2d3") && jwt2.issuer.equals("www.acme.com") && (jwt.expiration.toEpochSecond() > (System.currentTimeMillis()/1000) )) { // valid id token }

Hope this helps.

@joshua I think I've found the pattern to reproduce this issue.
Basically, it fails if the user I want to reset the password for is not registered in the application whose client_id is used during password reset flow. It works for the application where the user has a valid registration.

To reproduce:

Create new tenant: Tenant1 Create two Applications for Tenant1: application1 and application2 using https://example.com as redirect_uri Create user: user1 for Tenant1 Create registration for user1 in application1 Open the authorize URL for application2 like:
https://<FUSIONAUTH_URL>/oauth2/authorize?client_id=<CLIENT_ID_OF_APPLICATION2>&scope=openid%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fexample.com&tenantId=<TENANT_ID> Click Forgot your password Check you e-mail and click the password reset link Try to change the password
It should fail at this point.

You can now check the same for application1 (with the user registration) to see if it works.

I'm very curious if you can reproduce this too.

Seems like a bug, filed an issue: https://github.com/FusionAuth/fusionauth-issues/issues/1503

@matt-1

I will let my colleagues and community teammates chime in, having not written an Azure integration into FusionAuth as of yet. However, here is my two cents:

If FusionAuth is the source of record, you will want to review the documentation that Azure AD provides and see if you can call into FusionAuth via OAuth2 or SAML or JWT from them.

Googling azure storage blob authentication via jwt token returns many promising possibilities that look relevant.

Another wrinkle is that you are likely asking for a permissions-based model below:

Azure Storage Blog (or some intermediary) authenticates backs to FusionAuth to check whether the user is authorized for the piece of content or not.

This might require you to handroll your own solution or explore others that are prebuilt. Roles and groups are one area in FusionAuth that you could use to assign some level of access to your users. With some integration code, you could help your application determine what storage they should have access to.

https://fusionauth.io/docs/v1/tech/apis/groups/ https://fusionauth.io/docs/v1/tech/core-concepts/roles/#overview

I hope this helps and will post back if anything additional occurs to me.

Thanks
Josh

@erick

Apologies for the delay. I was not able to test the andriod portion of this very well on my Mac. Is this still an open issue for you?

Thanks,
Josh

@classbazaarco

What are you seeing in the event and error logs for FusionAuth?

https://fusionauth.io/docs/v1/tech/troubleshooting/#logs

Also, linking some additional doc here - https://fusionauth.io/docs/v1/tech/guides/silent-mode/#overview

Thanks,
Josh

Hi @ravikiran-sattigeri,

All applications can be retrieved via this API -

https://fusionauth.io/docs/v1/tech/apis/applications/#retrieve-an-application

The roles should be attached to the returned object under a roles array.

If you could provide some additional context around what you are attempting to accomplish, we may be able to provide additional feedback.

If you have a support contract, please file a ticket via your Zendesk or Slack channels for additional questions. Thanks!

Thanks,
Josh
FusionAuth