Hi,

So I'm not intimately familiar with this use case, but I have a couple of pointers.

Did you add X-Frame-Options to the exposed headers in the System setting? (This is more of a guess than a recommendation 🙂 .)

Silent refreshes have some other issues. This github issue may be of interest: https://github.com/FusionAuth/fusionauth-issues/issues/521 . It points to a workaround: https://stackoverflow.com/questions/55859793/is-prompt-none-for-silent-refresh-in-a-spa-possible-with-fusionauth-and-its-prov where there's actually a suggestion to tweak the web.xml file.

Finally, if you have a support contract with us, please open a ticket.

You have a couple of options for customizing the login experience when you are using FusionAuth.

You can use the password grant and create your own login page. Here's an example of the password grant. But this doesn't let you use the Authorization Code grant. You can use themes to customize the login pages. You could implement the authorization code grant without ever using the FA front end. You'd have to create your own login and logout pages on the server, and then have the server communicate via the API. Not sure why you'd want to do that, but maybe it meets your needs. You could use a third party tool like Hydra and use FA for your user data store.

@robotdan
Seems I expected that configuration of fusionauth db at docker-compose file was enough, but after your answer, I inserted credentials again at 'maintenance' page, ant it is now started, thanks

Thank you for the quick reply! I have successfully uninstalled it.

In addition to your instructions. I followed the same logic and removed the AppData as well.

rmdir C:\Users\me\AppData\Local\Temp\fusionauth /s

Thanks for your help!

If you're using PostgreSQL the size is essentially unlimited. With MySQL it is 16 MB.

There are few exceptions to this rule where we may be using a 64 KB column if you're on MySQL.

I wouldn't recommend storing that much data however. If you're using Elasticsearch, the custom data on the User will be indexed, and Elasticsearch will eventually hit a limit as well.

Github issue: https://github.com/FusionAuth/fusionauth-issues/issues/632

Yup.

Kickstart is intended to build the system up from scratch.

We check for API keys, users, and a few other things to ensure we can start with a clean slate.

If you already have an API key configured, you can also just script a set of API calls on your end as well. This is more/less what kickstart does.

From the Kickstart docs:

Kickstart will only run if no API keys, users or tenants exist, so you can safely leave this environment variable configured even after the system has been configured.

Kickstart does not load any templates by default. You will need to create any template you’d like in your initial configuration.

Outside of kickstart we do build some default templates. In Kickstart, no templates.

Here's the email templates we ship with if you want to add them to your Kickstart: https://fusionauth.io/docs/v1/tech/email-templates/email-templates#templates-replacement-variables

My guess is you are missing the applicationId on the login API request.

A refresh token is per user per application, so passing that is required to provide refresh tokens (even though it is optional for the call to succeed).

There's no supported way. Here's the official docs:

FusionAuth is able to handle all HTTP traffic and any network handling between the browser and FusionAuth should be as simple as possible.

However, this solution was found by a community member (for the docker install). Configure the environment variable:

FUSIONAUTH_ADDITIONAL_JAVA_ARGS: -Dhttp.proxyHost=some.proxy -Dhttp.proxyPort=8210 -Dhttp.nonProxyHosts="localhost|127.0.0.1|10.*.*.*|172.*.*.*"

before you start FA and it should work.

Users using an sdk created by swagger can use OAuth.

FusionAuth supports all of the grants listed there except "Client Credentials" (if that's an important grant to you, please vote on this GitHub issue).

That said, you can log a user in using this API: https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user

As mentioned in that document, you can require a FusionAuth API key (information about creating this here: https://fusionauth.io/docs/v1/tech/apis/authentication#manage-api-keys ) which would not be a per user API key. Or you could disable authentication for the /apilogin endpoint:

Authentication may be disabled per Application, see application.loginConfiguration.requireAuthentication in the Application API or navigate to Applications Edit Security in the user interface.
and have users authenticate against that endpoint.

If on the other hand you are asking about application type API keys that are managed by FusionAuth, the short answer is that is not a feature of FusionAuth. Please see this forum post for other options.

You could look at kickstart: https://fusionauth.io/docs/v1/tech/installation-guide/kickstart

Kickstart only works if the other devs' fusionauth instances are going to be starting from scratch.

Otherwise you might want to vote for https://github.com/FusionAuth/fusionauth-issues/issues/560

From the admin UI, go to System / About and you'll see the current version.

It is also available via the API by calling /api/status and looking for the version key in the returned object. However, the status response is subject to change.

Great thanks, that solved it.

This is generally done by using the domain configuration. For example, all users with an email address domain of acme.com can be configured to use a particular SAML or OpenID Connect configuration.

As soon as you configure one IdP with a domain, the login panel will collect the email address first to understand if we need to ask for a password or forward them along to a federated identity provider.

Read more about managed domains here: https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/

This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.

Other options: you could look into a third party api management solution (as mentioned here).

Could you use longer lived JWTs but then a webhook to revoke them, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts ?

You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.

In general you are going to want to use a Lambda to populate additional claims: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate

This issue has some notes about Hasura in particular: https://github.com/FusionAuth/fusionauth-issues/issues/61

If you get an unauthorized message in the UI when you submit a form it is due to your network configuration. This error is caused by our protective measures for cross site request forgery.

I would assume you are seeing an error on the admin page to indicate your proxy configuration is invalid. If not, ensure you have the correct X-Forwarded-Port, X-Forwarded-Host, X-Forwarded-Proto headers set when behind a proxy.

If these values are not set, or are invalid then when we compare the Origin header against the request we will fail our CSRF assertions and return a 401.

See also https://github.com/FusionAuth/fusionauth-issues/issues/612

Yes. Set the locale in the template and this will display the correct values, for example the month name.

More on freemarker here: https://freemarker.apache.org/docs/

Here's how to set the locale in a template: https://freemarker.apache.org/docs/ref_directive_setting.html