Hey Dan. My plan is to try to log a user on with their email as the key. If that fails (like it will if they have not registered).

$request = array(); $request["applicationId"] = $_SESSION['applicationID_admin_register_login']; $request["user"]["data"]["admin_email"] = $email; $request["user"]["data"]["email"] = $request["user"]["email"] = $email; $requestJ = json_encode($request); //convert the array into json $result = $_SESSION['client']->updateUser($id, $requestJ); //if $result is that user was not found then ask if they want to register? if (!$result->wasSuccessful()) { log_message('error', $result); }

Now, I don't want to updateUser() since I am not even sure if the user exists. What function should I use to easily see if they are already registered?

@adam glad you were able to find a workaround.

I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.

I'm not sure, would need to set up a test environment. If you have a support contract, feel free to open a support ticket for us to do more investigation.

You could also set up a local proxy to have fusionauth be served over HTTPS (examples here) or you could use ngrok or something similar for your testing.

You cannot share FusionAuth applications between tenants, unfortunately. They are a tenant scoped object.

If you want to sync application settings across tenants, you can use a client library or the API to script changes.

Hope that helps!

{
"aud": "2bea5435-ada0-44cd-a2f2-4935d631d6d8",
"exp": 1612886886,
"iat": 1612883286,
"iss": "acme .com",
"sub": "fdfec11f-6da1-4f7f-8b0f-10aa38c588ed",
"jti": "de6f586b-179a-4b15-9058-b5a2479fe5e6",
"authenticationType": "PASSWORD",
"email": "konstantin.dzekov@example.com",
"email_verified": true,
"applicationId": "2bea5435-ada0-44cd-a2f2-4935d631d6d8",
"roles": [
"admin"
]
}

You have a few options.

Limit Query One option is to find a way to limit your search by logical increments. For example, if you are searching on users you may consider obtaining and appending results by first name in a loop.

As an example:

for (letter in [a...z]) { query + " AND user email starts with $letter" // do work } Use Version > 1.24.0 when pulling something like users

https://fusionauth.io/docs/v1/tech/apis/users/#request-parameters-12

Request Parameters accurateTotal [Boolean] OPTIONAL Defaults to false AVAILABLE SINCE 1.24.0 Set this value equal to true to receive an accurate hit count on the API response. By default the search engine will limit the hit count to 10,000 users. This means that even if your query may match more than 10,000 users, the returned total count will be 10,000. This is adequate for many use cases such as pagination and general purpose queries. If you are looking for an accurate user count that can exceed 10,000 matches, you will want to set this value equal to true.

Hi Sebastian,

I did discuss this further with the Development Team. The documentation is in the process of updating, but managed domains are not required in regards to reconciling an external JWT.

In other words, if you want to integrate your Azure AD JWT token with FusionAuth, the JWT can be issued by different domains and still integrate just fine through the API.

Some reading that might be useful:

https://fusionauth.io/docs/v1/tech/apis/jwt/#reconcile-a-jwt https://fusionauth.io/docs/v1/tech/identity-providers/external-jwt/example/ https://fusionauth.io/docs/v1/tech/identity-providers/external-jwt/

I hope this helps!

Thanks,
Josh

Hi!

I've made an additional investigation and found out that for some reason Fusionauth instances deployed in my k8s cluster don't utilize all CPUs available on the nodes. There are 6 nodes with 12 CPUs each, but a single Fusionauth instance hardly ever utilized even 1 CPU.

I've tried to scale horizontally, deploying 50, 60, 75 and more Fusionauth's instances and got much better result during my load testing, up to 250 logins per second (each login - two requests - /oauth2/authorize and /oauth2/token).

I wonder why this could happen and and if there are there any settings for Fusionath or Java or k8s that could help to solve the issue?

Thanks!

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

Yes it does. I pretty much had come to the conclusion that I need to build my own login form, and you confirmed that. And have it submit to my code which will then start passwordless via the API.

Understood. If you would like to file an issue detailing the behavior you've outlined here, we welcome community feedback and work it into our eng team roadmap. You can file the issue here, please feel free to reference this forum post.

Hi @bogorad,

Thanks for the screenshots and feedback!

The error you are getting seems to be from a malformed link. You are going to want to make sure your links have a redirect URI. It is possible that you have broken your links when trying to clean/trim up the login page. You can view your links by clicking as below on the applications tab (your links may be different):

6EFFAFAE-57D5-446A-8DCF-E0BAC2BDB8A0.png

My additional recommendations would be:

Slowly comment out the FreeMarker templates with a <!-- or a [#-- and test drive your code until you get the result that you would like.

A good workflow for this is to have your FusionAuth Freemarker editor open on one half of your screen and then have the FusionAuth preview editor open on another. This will allow you to quickly iterate to get the look that you desire 👍
CE8CD041-E050-4895-8C76-BE3E1DB6D693_1_105_c.jpeg

Another thing to remember, as mentioned in our theme documentation, the --or-- text block you are looking to remove (and other templating macros and variables) are stored in the helpers section of the FusionAuth Freemarker editor.
CEAF8545-4C58-46A2-BC18-CAC7633A7F22.png
The tooltips can also provide you navigation assistance while you are attempting to build your template/page.

Finally, for Freemarker, there are a lot of resources on the web on how to use it (not sure if you are new to it, there can be a learning curve). I would suggest a google search for available tutorials to get your feet wet.

I hope this helps!

Thanks,
Josh

Hi @developer , welcome to the FusionAuth community!

Did you get this resolved?

What version of FusionAuth are you running? Version 1.25 has extended SMTP debugging and would be worth upgrading to.

The error messages you shared indicate that the authentication failed; were you able to send email using the same credentials outside of FusionAuth?

Drupal7 har the following format for the users

I didn't see the format, but here's the users API docs and the registrations API docs. You can use user.data and registration.data for arbitrary JSON data, so that's a good place to drop anything that doesn't fit into the FusionAuth data model.

Drupal 7 users sha512.

That is not supported by default with FusionAuth (here's the list of supported hashing schemes), but there are quite a few supported community contributed schemes including for SHA-512. You can install that plugin in FusionAuth as documented here.

Sure, store the access token in a secure cookie.

We don't have any examples of that with Angular, but here's a diagram of the flow: https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

You'll still have to have some kind of backend because server side code is required to exchange the authorization code for the access token, as above. But you can then have the JWT be stored as a cookie and sent to APIs without further interaction with the backend server.

The alternative is to use the implicit grant, documented here: https://fusionauth.io/docs/v1/tech/oauth/overview#example-implicit-grant

But we strongly advise against that since it exposes your access tokens to XSS attacks.