Yeah, that was it... I guess it was already late 😉

Two issues with the code snippet that are worth exploring:

hardDelete is supposed to be a query param

Delete requests should not have body in the request.

Find out more in the documentation for the User API

the difference between a JWT/access token and a refresh token is that a refresh token can be revoked. Every time you present it to the Identity Provider/OAuth server, the OAuth server can check to see if the user has been banned, signed out or otherwise invalidated that token. (You can revoke a JWT, but it's a pain, typically.)

A refresh token is an engineering tradeoff. Without refresh tokens, you would have two unappetizing alternatives:

an access token that lived for a long time. In this case, if the access token is stolen, the attacker has a lot of time to access systems (or you need to have some kind of access token revocation strategy, which degrades the value of stateless access tokens). requiring the user to sign in every time the token expires. That gets old if the lifetime of the access token is minutes or hours. I even get annoyed every time Google asks me to re-sign into gmail, which only happens every week or two.

The spec requires a client to explicitly request a refresh token. With FusionAuth you have to request the offline_access scope (which is common for other auth providers, but I wasn't able to find it in the RFC), so it's a way to offer more flexibility.

Hi @lucas-loreggia,

Unfortunately, this is not yet an option within FusionAuth but there is an open issue! See current discussion under issue 91. Please note, that the issue does document a workaround, using the API.

I should also point out, while not specifically the use case you are asking for here, we do have the ability to form roles, as mentioned at the bottom of the issues post.

I hope this helps!
Josh

There's additional localization and internationalization doc that was written recently here: https://fusionauth.io/docs/v1/tech/core-concepts/localization-and-internationalization/

There's additional localization and internationalization doc that was written recently here: https://fusionauth.io/docs/v1/tech/core-concepts/localization-and-internationalization/

There's additional localization and internationalization doc that was written recently here: https://fusionauth.io/docs/v1/tech/core-concepts/localization-and-internationalization/

Huh, yeah, that is weird. Not sure why there isn't a solid OIDC implementation for passportjs.

You could use the FusionAuth typescript client. It's open source; here's the github repo.

FusionAuth should be OIDC compliant so any NestJS example application that works with OIDC should be fine. Here are some posts to review:

https://sdoxsee.github.io/blog/2020/02/05/cats-nest-nestjs-mongo-oidc.html#add-oidcstrategy https://github.com/Finastra/finastra-nodejs-libs/tree/develop/libs/oidc https://github.com/panva/node-oidc-provider (a node OIDC provider)

As for why you might want to avoid okta, I would just advise looking at the pricing page before committing. 🙂

Hi @john-mooney!

My experience is limited in regards to an Azure cloud deployment, but I will try and assist as best able. I do have a few questions to ask to better understand your issue.

Do you happen to have any other logs which are outputting errors? If you had full logs of the database, app service, or anything else pertinent, that might be helpful in debugging. Do the logs show that all of your database connections are queued? There is a db connection pool that should be available, but if every connection is queued up/waiting, that might be telling. Does this happen only during certain times of the day and not others? At specified intervals? Under high demand/peak demand? How many active and total users do you have on this system? How many active and total tenants do you have on this system? How are you connected to your database? Azure lists a few different ways to configure a PostgreSQL server (server, flexible, hyper-scale). Additional details about your configuration could prove useful. Any other pertinent details about your network configuration and architecture could prove useful here. Are you setting any FusionAuth environment variables, if so which ones?

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

logsettings2.png
logsettings.png

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

That is weird. It looks like the hikari pool is losing the connection to the database, which then means that the node can't check in, so it then gets killed.

I'm not sure why the pool would be losing the connection; hard to know what is happening.

If you have detailed repo steps (which it sounds like you do), please file a bug in the github issues.

I will say that kubernetes is being run by plenty of our customers and I haven't heard of this issue before, but would love to get to the bottom of this.

@mamaning , welcome to the FusionAuth community!

Can you provide a bit more detail about what the error message is and what you've tried to do to troubleshoot?

Also, if you have a paid edition with support, you can open a support ticket, which will get you a response more quickly.

Thanks!

Tenants are separated logically, with users, identity providers, and applications all separate.

If you need physical or geographic separation (for instance, to host users in tenant A in the USA and users in tenant B in Germany, you can do this by running two instances of FusionAuth. You can keep system wide configuration in sync using scripts with the client library.

Yes. You can use the tenant API or any of the client libraries to created, read, update and delete tenants and all their configuration.

Yes. Apart from what is outlined in the system requirements, FusionAuth does not require any network connection to the Internet.

Yes you can. You have a few options.

If your algorithm matches one of the FusionAuth supported algorithms or one of the community provided ones, you can configure FusionAuth to use it. If not, you may need to write your own hashing plugin.

Once you have imported the hashes, the next the to consider is whether you want FusionAuth to rehash the passwords as the users log in. This is a good option if the previous hashing algorithm was not a strong one. This is configured at the tenant level, under the Passwords tab.

You can migrate all of your user data (store any non standard info in user.data), their roles, groups, application association, refresh tokens (so that someone using a TV app, for example, won't have to login again) and their password hashes.

Please see the FusionAuth migration guide for more.

Does SendGrid indicate why they are rejecting requests? In my experience, this is generally due to invalid creds, or a “From address” with a domain that does not match your SendGrid account.

So if a default template is being used with a no-reply@fusionauth.io address you may see a runtime error such as a rejected SMTP request.

Otherwise I'd make sure the IP address is in any whitelists, or share anything else that sendgrid logs.