Is there a way to update user data in the UI?

I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

https://fusionauth.io/blog/2021/04/01/fusionauth-introduces-simplepass/

I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?

There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth

It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest

Can you run FusionAuth in Kubernetes?

Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?

Within a lambda, you have access to the user and registration properties. So you'd pull the verified property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.

So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.

Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.

1. user registers
2. JWT issued, with verified set to false because the user isn't verified.
3. User verifies their email
4. User visits API, but is denied because the JWT has stale data.

I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?

Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:

returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format

If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.

Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.

Here's a response I get after logging in:

{
  "token": "ey...",
  "user": {
    "active": true,
    "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
    "email": "email@example.com",
    "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006",
    "insertInstant": 1592857899119,
    "lastLoginInstant": 1596819645662,
    "lastUpdateInstant": 0,
    "passwordChangeRequired": false,
    "passwordLastUpdateInstant": 1592857899145,
    "registrations": [
      {
        "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355",
        "id": "73d2317b-d196-4315-aba2-3c205ed3ccae",
        "insertInstant": 1592857899151,
        "lastLoginInstant": 1592857899153,
        "lastUpdateInstant": 1596813810104,
        "roles": [
          "Role1"
        ],
        "usernameStatus": "ACTIVE",
        "verified": true
      }
    ],
    "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4",
    "twoFactorDelivery": "None",
    "twoFactorEnabled": false,
    "usernameStatus": "ACTIVE",
    "verified": true
  }
}

So user.applicationId.roles is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups

OK, we just released 1.18.8 and that is the version you want to use:

In requirements.txt:

fusionauth-client==1.18.8

And then this is the call you want to make (with client_id before redirect_uri) :

 resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)

Hiya,

First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:

My Frontend --> My Backend --> FusionAuth API

There's no password returned from the registration API call.

If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)

The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.

Are there specific security concerns you have around your front end/back end systems that I might be missing?

FYI, this was fixed in 1.60.0, per the release notes.

In version 1.59.0 the password is now optional when creating or updating a user.

When returning from a third-party login, a user may be prompted to complete registration by entering a password when self-service is enabled and is configured to require a password.

This was unintended and has been corrected.

https://fusionauth.io/docs/release-notes/

Tracking issue: https://github.com/FusionAuth/fusionauth-issues/issues/3159

Yes.

A few options. Let's assume you have a FusionAuth instance hosted in your cloud (the cloud instance) and that you'll be running an instance on the cruise ship (the cruise ship instance). The cloud instance contains all user data. The cruise ship instance is going to be set up fresh for each cruise, with a copy of data from the cloud instance. It'll contain just the users on the cruise ship, and applications on the cruise ship will be set up to authenticate against it.

Overview Table

Option	Use When	Notes	Works With FusionAuth Cloud
Use The Cloud Instance	You have connectivity. Included for completeness.		Yes
Cruise Ship FusionAuth With QR Codes	You only want to let the user modify their profile, are okay with the risk of the QR code being stolen and the user being impersonated.	Need to use the API/SDKs to fully implement.	Yes
Cruise Ship FusionAuth With Existing Passwords	You want the cruise ship instance to be the source of truth for users on the ship.		No
Cruise Ship FusionAuth With Existing Passwords And Changes Allowed to Cloud FusionAuth	If accounts of cruise ship users need to be modifiable by people on the cruise ship and on land.	Requires careful profile and credential merge logic.	No

Use The Cloud Instance

Use the cloud FusionAuth instance for all requests. This is the simplest solution, though it may be costly or lead to degraded functionality.

This is mentioned for completeness, but doesn't really address the core issue of missing or intermittent internet connectivity.

Cruise Ship FusionAuth With QR Codes

Here you are migrating the source of truth for these users to the cruise ship instance, excluding passwords, and then syncing the profile data back.

The main reason to choose this option is because it works with a FusionAuth Cloud hosted cloud instance, where you do not have access to the password hashes.

Steps:

1. Copy user profile data to the cruise ship instance using the User API.
2. Create a QR code that is associated with each user and add it to the ticket (or provide it separately). The user can then log in by scanning their phone.
3. The QR code should include the user's login Id. Implement using the passwordless API, starting the passwordless login with the users id, and completing the login by catching the code and using the complete login API call.
4. Mark the accounts as 'on-cruise' in the user.data field. By doing this, you can clearly differentiate between the users on the cruise and anyone else in your CIAM system. This makes it easier to merge their profile data after the cruise.
5. Set up a webhook to disable any updates to these user accounts in the cloud FusionAuth instance while on the cruise. You can do this by setting up a transactional webhook on user.update that fails when the user being updated has the 'on-cruise' attribute set.
6. When on the ship, users can log in with these credentials and access applications, as well as update their profiles.
7. After the cruise is done, compare the profile update timestamps for all users in the cruise instance with the same account on the cloud instance.
8. If the update timestamps do not match, update the cloud instance with the new profile data. Do not move the password hashes.
9. Remove the 'on-cruise' attribute from users in the cloud instance.

Security Warning: This is a security risk! Understand the security model of an account takeover in the cruise ship instance. If anyone else scans the QR code, they can get access to the user's account.

The benefit is simple merging of data. You also don't need access to the database of the cloud instance, because all the data you are merging is available via the API.

After successfully pushing the data to the cloud server, wipe the cruise ship FusionAuth instance.

Cruise Ship FusionAuth With Existing Passwords

Here you are migrating the source of truth for these users to the cruise ship instance, including passwords, and then syncing them back.

Steps:

1. Build an import script by reading the password hashes and other password data from the cloud instance for the users who are going on the cruise.
   • This requires direct database access to the cloud instance.
2. Import the users using the Import API to the cruise ship instance.
3. Mark the accounts as 'on-cruise' in the user.data field.
   • By doing this, you can clearly differentiate between the users on the cruise and anyone else in your CIAM system. This makes it easier to merge their profile and credential data after the cruise.
4. Set up a webhook to disable any updates to these user accounts in the cloud FusionAuth instance while on the cruise. Do this by setting up a transactional webhook on user.update that fails when the user being updated has the 'on-cruise' attribute set.
5. When on the ship, users can log in with their normal credentials and access applications, as well as update their profiles and password.
6. After the cruise is done, compare the update timestamps for all users in the cruise instance with the same account on the cloud instance.
7. If the update timestamps do not match, build an import file with the profile data and updated credentials.
8. Read the credentials from the cruise ship instance database.
9. Remove the 'on-cruise' attribute from users in the cloud instance.
10. Delete the users' accounts in the cloud instance and import the user data from the cruise ship generated file.

The benefit is simple merging back to the cloud instance, because only one instance accepts changes at a time. A user is either managed by the cloud instance or by the cruise ship instance.

Automated account recovery won't work, so plan to allow staff to reset passwords if needed.

After successfully pushing the data to the cloud server, wipe the cruise ship FusionAuth instance.

Cruise Ship FusionAuth With Existing Passwords And Changes Allowed to Cloud FusionAuth

Here you are migrating these users to the cruise ship instance, including passwords, and then merging them back.

Steps:

1. Build an import script by reading the password hashes and other password data from the cloud instance for the users who are going on the cruise.
   • This requires direct database access to the cloud instance.
2. Import the users using the Import API to the cruise ship instance.
3. Mark the accounts as 'on-cruise' in the user.data field so that we'll know which users to merge.
4. When on the ship, users can log in with their normal credentials and access applications, as well as update their profiles and password. The same accounts can be updated in the cloud instance by users or automated processes on land.
5. After the cruise is done, compare the update timestamps for all users in the cruise instance with the same account on the cloud instance.
6. If the update timestamps do not match, build an import file with the profile data and updated credentials. For the latter, you'll need to read from the cruise ship database.
7. Prepare to merge the data from the cruise ship and cloud instances.
8. Read all accounts with the 'on-cruise' from the cloud instance with an update date later than the start of the cruise.
9. Find all the users on the cruise ships with an update date later than the start of the cruise.
10. For each account, see what changes were made:
    • If a cloud instance did not change and the cruise ship instance did not change, remove the 'on-cruise' data marker and do nothing else.
    • If a cloud instance changed and the cruise ship instance did not, remove the 'on-cruise' data marker and do nothing else.
    • If a cruise ship instance changed and the cloud instance did not, prepare an import entry from the cruise ship instance for this user. Delete the cloud instance account and then import the cruise ship instance account.
    • If a cruise ship instance changed and the cloud instance did as well, prepare an import entry from the merged cruise ship and cloud instances. How you do this is business dependent. There may be user profile data that should be merged, and other data that might belong to either the cruise ship instance or cloud instance. The most recent password, wherever it lives, is the one that you should use for the import.
11. When the merge is complete, write an import entry to a file. Remove the 'on-cruise' attribute at the same time.
12. When all accounts have been merged successfully, delete the cloud instance account and then import the merged account.

Automated account recovery won't work, so plan to allow staff to reset passwords if needed.

After successfully pushing the data to the cloud server, wipe the cruise ship FusionAuth instance.

Other Considerations

• If you are only allowing the user to change their profile data, you can move data without accessing the database. If users can change their passwords, you have to have access to the database to re-import them. (Or you can force a password reset.) The same applies to other secrets such as passkeys or TOTP secrets.

• Options 1 and 2 work with FusionAuth Cloud hosted servers, but the other options do not because you don't have access to the database with FusionAuth Cloud.

• If you allow a user to register on the cruise ship server, you will have to check for merge conflicts. If someone registered on the cruise ship, it is possible someone could have done the same on the cloud instance during the time of the cruise. Since you know all the cruise ship users, you can alternatively create accounts for everyone and disallow on ship registration.

• When reading the password hashes, make sure you consult the schema for your version of FusionAuth, because the location of password hashes may change over time.

• Account recovery is not available on the cruise ship, so make sure staff understands how to reset a user's password directly via the admin UI.

• What is outlined above takes the final state of the user from the cruise ship and propagates it back the cloud instance. If you need to keep track of changes to the user on the cruise ship instance and replay them in order, use the webhook and event log to capture the events locally. Then replay them when the cruise ship docks using kafka.

Can I use FusionAuth in a distributed fashion when the internet is non-existent or intermittent? Like if I have a cruise ship, can I copy user data on to it to let them log into apps and possibly change profile or credentials and somehow get that back to a server on the mainland?

We have an open issue to make passkeys one of the supported MFA methods.

But you can perform a step up passkey challenge using the APIs or the SDKs by doing the following:

• User tries to access a restricted resource
• Customer app sees if the user has already been granted access (via the presence of a cookie, or some other mechanism).
  • If they have, let them through.
• If the user hasn’t been granted access, perform a webauthn assertion workflow
• Call the /api/webauthn/start to get the workflow started
• Interact with the authenticator to produce the signature and whatever other information is needed. This is authenticator-specific.
• Call the /api/webauthn/assert to complete the workflow and prove possession of the authenticator
• If the workflow is successful
  • Write a cookie or whatever if you want to remember this permission
  • Let the user through
• If the workflow isn’t successful
  • Deny access

If someone doesn't have a passkey enabled, which you can check by calling the /api/webauthn?userId={userId} API, direct them to the self-service account management passkey management pages.

Here are the API docs for the webauthn API.

Can I do a step up authentication with WebAuthn/passkeys? I want to build this into my app for protecting some sensitive data.

As of 1.59.0 this is possible but it is slightly unintuitive how to do it. It’s entirely driven by the form being used. Here's how to do it:

• create a new user admin form: https://fusionauth.io/docs/lifecycle/manage-users/admin-forms
• make sure you omit the 'password' field from the form
• assign the form to your tenant
• create a new user

You can also create a user directly via the API with no password.

This functionality is now present in FusionAuth as of 1.59.0.

https://github.com/FusionAuth/fusionauth-issues/issues/484 is the tracking issue.

Yes, I believe so.

It appears that connecting MitID to an application (also called an SP) requires utilizing an approved broker. A broker is essentially an OIDC connector.

Here is a list of official brokers: https://www.mitid.dk/en-gb/broker/current-brokers/.

We haven’t tested this, but based on reviewing Signicat’s OIDC documentation, the process seems fairly straightforward. They are one of the MitID brokers.

Does FusionAuth support MitID which is a national digital id for Denmark?

You can create two values for the FusionAuth url:

internalFusionAuthURL="http://fusionauth:9011"
externalFusionAuthURL="http://localhost:9011"

So basically whenever you are sending the redirect to the browser (pretty much just the authorize and logout URLs) you use externalFusionAuthURL which references localhost.

When you are communicating with FusionAuth from the application backend (the express app) you use the internalFusionAuthURL which references the docker domain name.

I tested that out and it seems to work fine.

Give that a try.