Importing user through generic connector

harish_reddy

Hi

I have a fusionauth tenant with a generic connector configured. In certain cases, I would like to import the user into Fusionauth but prevent the login.

My API endpoint is returning a user with fields
user.active: false
user.verified: false
user.registrations[0].verified:false

But the login request is going through and all those fields are set to true in fusionauth user store.

Is this a bug or expected behaviour? I think it is very normal for a legacy system to contain users without a verified email.

TIA

dan

Hiya,

I think this thread is worth a read: https://fusionauth.io/community/forum/topic/5/can-you-limit-a-user-s-login-authentication-access-to-applications-within-a-single-tenant

Basically, to prevent a login just check for a 202 status code, which indicates the user is authenticated (known by the system) but not authorized for the given application.

harish_reddy

Thanks for the reply.

I checked the thread.

This is not issue with using login API. This is a webhook configured in generic connector to import users on validation of password through a API call.

Is there a way for this API to respond to convey to fusionauth system that "import the user with supplied password, but fail this login request"

harish_reddy

On a different topic:

I have applications created under a tenant other than default "Fusionauth"

Created a user without any registrations to those applications.

I expected the oAuth login to fail when user tries to login with any of these applications. But the login request happened successfully for this application.

What is the use of having registrations to application, when the user is able to login through oauth client even without a registration ?

Can some one please clarify.

dan

@harish_reddy said in Importing user through generic connector:

Is there a way for this API to respond to convey to fusionauth system that "import the user with supplied password, but fail this login request"

Ah, sorry, I misunderstood.

I don't think there's a way to do this without writing some code. The connector stuff is still in technology preview, so feel free to file an issue in github with your use case: https://github.com/fusionauth/fusionauth-issues

If I needed to accomplish this, I'd probably write a webhook that listened to the user.create event, check to see which connector had created the user, and then deactivate the account using the user API.

dan

@harish_reddy said in Importing user through generic connector:

What is the use of having registrations to application, when the user is able to login through oauth client even without a registration ?

Ah, that is what https://fusionauth.io/community/forum/topic/5/can-you-limit-a-user-s-login-authentication-access-to-applications-within-a-single-tenant addresses specifically.

A user account is for authentication. A user registration is for authorization.

So someone can login to the application but they won't receive the applicationId in the JWT. Your application should check to see that a JWT has the correct applicationId before allowing a user to proceed further.

Hope that helps!

dan

Looks like this might be an issue you'd want to upvote: https://github.com/FusionAuth/fusionauth-issues/issues/439