RE: Does FusionAuth support mutual TLS?

By using a proxy or gateway that supports mutual TLS, you can use it with FusionAuth.

For example, AWS ALB supports Mutual TLS verify where the ALB does client certificate verification. Nginx has similar functionality.

If you are running FusionAuth 'bare' and terminating TLS directly at the FusionAuth server, mutual TLS is not supported.

Hiya,

Does FusionAuth support mutual TLS where the client and server both have certificates?

(I'm not talking about mTLS token binding; I understand that is not implemented per https://github.com/FusionAuth/fusionauth-issues/issues/1025 .)

Hiya,

There are currently no plans to support the full mTLS spec. We are discussing DPoP (tracking issue) internally.

However, depending on your needs, there may be a workaround.

Since the client credentials grant depends on Entities, you can leverage this to inject a client certificate hash into an access token obtained through the client credentials grant.

How this works at a high level:

• Client Certificate Registration
  During onboarding, your customer (e.g., a bank) registers their client certificate. A hashed value of that certificate is securely stored in FusionAuth (entity.data). The hashing process is outlined in the RFC.
• Client Credentials Request
  When the bank requests an access token using the Client Credentials grant, a FusionAuth Lambda is invoked before the JWT is signed.
• Augment Custom Claims
  The Lambda code looks up the stored certificate hash and injects it as a claim in the JWT. For maximum compatibility with RFC 8705, it is recommended to add this hash to the cnf object in the JWT, like so:

"cnf":{
  "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
}

• Accessing the Resource Server or API
  The customer presents both the access token and presents their client certificate when calling your API.
• Validation Flow
  Your API:
  • verifies the JWT signature
  • computes a hash of the presented client certificate
  • compares it to the x5t#S256 claim in the token
• Decision Logic
  If the hashes match, the request is bound to the correct client and access is granted to the protected resource.

Does FusionAuth support mTLS token binding (RFC 8705, section 3) for the client credentials grant?

I found this issue but wasn't sure what the current status is: https://github.com/FusionAuth/fusionauth-issues/issues/1025

@cabaral109 @mark-robustelli after spending few hours debugging issue with openid-client I found this topic and lack of the protocol part in the issuer field to be a reason. I've just submitted the issue at: https://github.com/FusionAuth/fusionauth-issues/issues/3021

@theogravity-sb Hmmm. So the issue is that someone is registering with a gmail account they control but it looks like this:

foo@gmail.com with a name of <Dan https://evil.com> which is being turned into a link?

Or am I misunderstanding your question?

You have a variety of ways to approach this, with different tradeoffs around functionality, effort and cost. It also matters if the spam accounts are being signed up for by humans or bots.

• use a webhook to prohibit bogus users from being created by setting the user.create webhook to be transactional. You'd then write a service that could examine the user object, including email address or other attributes, and return a non-200 value to fail their creation. Details on webhooks. This is available on the community plan.

• use email verification to prevent spam users without an email inbox from using your application. Details on configuring this functionality. This is available on any paid plan.

• use a self-service registration lambda, and examine the email address and other information for a user. If a user is obviously bogus or matches a pattern, you could return a message stating they can't register, or to call you for assistance. Details on using this lambda. This is available on any paid plan.

• turn on CAPTCHA which will make it harder for bots to sign up. This requires an enterprise plan.

I have self-service registration turned on. I am getting some valid users, but a bunch of spam accounts.

What is the best way to deal with this?

Thanks!

@kasir-barati Hiya, welcome to FusionAuth. Sorry, just ran across your forum post today.

There is no way to assign constraints to user.data fields within FusionAuth, but there is an open issue that I encourage you to upvote.

You can require usernames to be unique in a tenant, using the Unique usernames setting. It is, however a feature which requires a paid plan.

Another alternative, rather than

fetching all users and then looping over users
would be to search for the username before creating the user. Using the search functionality that wouldn't require scanning all the users. You can use a transactional webhook to fail user creation if your uniqueness rules are not met.

This is due to a bug in the openjdk java library that the docker image uses. You can learn more about the bug here and track our fix (which looks like upgrading the java image our docker file users) by following this bug.

Until then, the workaround is to pass this java argument at start time:

-XX:UseSVE=0

This argument disables the use of the SVE extension, which is provides "better data parallelism for HPC and ML".

You can do that with the FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS environment variable in your Dockerfile. Here's an example:

  fusionauth:
    # ...
    environment:
      # ...
      FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS: -XX:UseSVE=0