@chirag have you seen these? https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows/

Reviewing them and mapping your use case on to them may be helpful.

Yes. See the login_hint parameter here: https://fusionauth.io/docs/v1/tech/oauth/endpoints/#authorize

The JwtDecoders.fromIssuerLocation will attempt to resolve the jwks_uri from the OpenID Connect discovery document found using the issuer URI.

https://github.com/spring-projects/spring-security/blob/848bd448374156020210c329b886fca010a5f710/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java#L119

The FusionAuth JSON Web Key Set (JWKS) only publishes the public key from asymmetric key pairs. This means there are no public keys published and the Spring boot library cannot verify the token signature.

For example, if your issuerUri is https://example.com then the OpenID Discovery URL is https://example.com/.well-known/openid-configuration and the value for jwks_uri found in the JSON response from that URL will be https://example.com/.well-known/jwks.json. If you hit that URL you will see no public keys are being returned, this is the JSON that the library is consuming in an attempt to build the public key necessary to validate the JWT signature.

To use this strategy then you'll need to configure FusionAuth to sign the JWT using an RSA or ECDSA key pair instead of the default HMAC key which is symmetric.

Generate a new RSA or ECDA key pair in Key Master (Settings > Key Master) and then ensure you have your JWT signing configuration use that key. The primary JWT signing configuration will be found in the tenant, with optional application level overrides.

https://fusionauth.io/docs/v1/tech/core-concepts/tenants/#jwt
https://fusionauth.io/docs/v1/tech/core-concepts/applications/#jwt

You could take a look at the system log. If the OOM killer ended a process due to memory constraints it will be logged there.

You might see lines like:

Dec 30 12:00:38 vps kernel: Out of memory: Kill process 30047 (java) score 98 or sacrifice child

The OOM killer will begin killing services once the kernel runs out of memory. The solution will be to allocate less memory to FusionAuth or to increase the amount of RAM available to the host OS. You can do the former with the fusionauth-app.memory setting. See the configuration reference for more details.

Note that as of 1.19.0, session pinning/sticky sessions are no longer required. More details here.

Yes, just confirmed the fact that this is a Safari only issue. Only Safari seems to be doing this, we don’t return a 403 so this must a CORS failure. Perhaps Apple is sending additional headers on the request when using Safari that need to be accounted for in the Allowed headers.

I added GET to the allowed methods for CORS and it works that seems to allow it to work in Safari. Please test and let me know.

The redirect workflow looks to be different in Safari when using native controls vs Chrome or other browsers.

Hiya!

With FusionAuth, identity providers are global objects. You configure them to apply to given applications (via enabling them) using the API or the UI. Applications are scoped to a tenant.

So, if you wanted to make sure that a customer had Okta enabled, you'd do the following:

Set up an Okta OIDC identity provider Create a tenant for the customer Create an application in that tenant Enable the Okta OIDC identity provider for that application

More details here: https://fusionauth.io/docs/v1/tech/identity-providers/

HTH.

We have had a couple of people have this exception in Kubernetes because the nodes can’t talk to each other. Is your setup configured so that each node can talk to each other node?

I would expect that the configuration would need to use the k8s names rather than IP addresses for all of the nodes. This is configurable in the configuration file or through env variables. More here: https://fusionauth.io/docs/v1/tech/reference/configuration/ . Look for the fusionauth-app.url setting.

I think you are looking for kickstart: https://fusionauth.io/docs/v1/tech/installation-guide/kickstart

Here's how to run configure Kickstart to run when you are using docker: https://fusionauth.io/docs/v1/tech/installation-guide/docker/#kickstart

I'm not sure how you are starting your containers, but I imagine you could create and make a kickstart file available in other deployment environments also.

Ah, I see. Yes, this is new functionality; the javascript redirect is the best option currently, but that won't automatically log a user in.

If you have a support contract, please open a support ticket.

Otherwise, please file a feature request in our github issues repo.

Looks like you got some help over in the FusionAuth containers project.

I'm not super familiar with caddy, but you can also see other reverse proxy configurations (including which headers they forwarded) here: https://github.com/FusionAuth/fusionauth-contrib/tree/master/Reverse Proxy Configurations

If you get it figured out, please consider submitting a PR to that repo with the caddy config so that others can benefit from your findings.

Added this as a feature request: https://github.com/FusionAuth/fusionauth-issues/issues/1041

Thanks. I believe the RSS feed for the release announcements will work for us.

Yes. We don’t currently have an API to do this, but you can pull the users from your database, and the hashes are all available there. If you are using FusionAuth Cloud, you can request a database dump from us.

The hashing algorithm is customizable and you can select PBKDF2 or Bcrypt. You can see more about our hashing algorithm support here: https://fusionauth.io/docs/v1/tech/reference/password-encryptors/

Edited Sep 2023: Per our cloud documentation, database exports from FusionAuth Cloud are supported as one-time requests because of migration needs. Repeated exports require a discussion with the sales team.

Yes. You can use the Authorization Code grant with cookies. Here is a workflow diagram of this: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

This requires a reseller agreement if you will be deploying FusionAuth alongside their software in their customer’s data centers.

We have a bunch of companies doing this including Unsupervised (you can read their case study: https://fusionauth.io/resources/unsupervised-case-study.pdf ).

In case it helps anyone, a version of the ASP.NET Core Identity PasswordHasher HashPasswordV3

package com.mycompany.fusionauth.plugins; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; import java.util.Base64; import io.fusionauth.plugin.spi.security.PasswordEncryptor; /** * Example password hashing based on Asp.Net Core Identity PasswordHasher HashPasswordV3. */ public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor implements PasswordEncryptor { @Override public int defaultFactor() { return 10_000; } @Override public String encrypt(String password, String salt, int factor) { if (factor <= 0) { throw new IllegalArgumentException("Invalid factor value [" + factor + "]"); } SecretKeyFactory keyFactory; try { keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("No such algorithm [PBKDF2WithHmacSHA256]"); } int keyLength = 32; // numBytesRequested byte[] saltBytes = Base64.getDecoder().decode(salt); // assumes Base64 encoded salt. saltSize: 16 bytes KeySpec keySpec = new PBEKeySpec(password.toCharArray(), saltBytes, factor, keyLength * 8); SecretKey secret; try { secret = keyFactory.generateSecret(keySpec); // subkey } catch (InvalidKeySpecException e) { throw new IllegalArgumentException("Could not generate secret key for algorithm [PBKDF2WithHmacSHA256]"); } byte[] outputBytes = new byte[13 + saltBytes.length + secret.getEncoded().length]; outputBytes[0] = 0x01; // format marker WriteNetworkByteOrder(outputBytes, 1, 1); WriteNetworkByteOrder(outputBytes, 5, factor); WriteNetworkByteOrder(outputBytes, 9, saltBytes.length); System.arraycopy(saltBytes, 0, outputBytes, 13, saltBytes.length); System.arraycopy(secret.getEncoded(), 0, outputBytes, 13 + saltBytes.length, secret.getEncoded().length); return new String(Base64.getEncoder().encode(outputBytes)); } private static void WriteNetworkByteOrder(byte[] buffer, int offset, int value) { buffer[offset + 0] = (byte)(value >> 24); buffer[offset + 1] = (byte)(value >> 16); buffer[offset + 2] = (byte)(value >> 8); buffer[offset + 3] = (byte)(value >> 0); } } package com.mycompany.fusionauth.plugins; import org.testng.annotations.DataProvider; import org.testng.annotations.Test; import static org.testng.Assert.assertEquals; public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptorTest { @Test(dataProvider = "hashes") public void encrypt(String password, String salt, String hash) { ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor encryptor = new ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor(); assertEquals(encryptor.encrypt(password, salt, 10_000), hash); } @DataProvider(name = "hashes") public Object[][] hashes() { return new Object[][]{ {"MyExamplePassword", "CVsv6SwPJr7WDrVvAb+7aw==", "AQAAAAEAACcQAAAAEAlbL+ksDya+1g61bwG/u2ssOcnQU6Q2xo9tmijJv0zM2GsxeOl04NSpXRsAveBBag=="}, }; } }

If you are running docker or some other container system where logs are written to stdout you should utilize whatever tooling exists to capture that output (docker logs or similar solutions).

If you are using a zip file installation or some other installation method which writes log files, you can export the system logs using this API call.

There are two types of activity that are consolidated in this report. A user is 'active' if either of these holds true for the user during the time period in question.

The first is on token/JWT refreshes. There are two ways to trigger an activity event.

The first is a POST to /oauth2/token to retrieve a token (either with an auth code, a refresh token, or any other way to get a token). The second is a POST to /api/jwt/refresh, which presents a refresh token for a new access token using the FusionAuth non standard API.

The second is on "login" events:

Login events are triggered in a number of ways:

an IdP login request (performed via a POST to /api/identity-provider/login user creation user registration to an application through a login performed via a POST to /api/login or a PUT to /api/login and finally through other forms of login that don't quite fall in those flows above. These include: passwordless, one time password and 2FA.

Basically, if a user logs in or has a token generated for them, they are considered active during the timeframe.

It looks like you switched to development mode from production mode, possibly to run some migrations automatically.

This message means that FusionAuth sees an entry in its node records that would lead to an incompatible configuration. What we really want to avoid is a cluster of FusionAuth instances with some in development and others in production, as that might lead to some confusing behavior.

If you are running a single node, you can try restarting FusionAuth a few times and that node record should be reset. You can also switch the node back to production and make sure it shuts down cleanly, which should remove the node record.