Thanks! I appreciate it.

I will keep track using the link, and i'll thumbs up the issues.

As long as it is a valid URI, it is allowed.

Hmmm. Weird. Will look at filing a bug. Thanks!

One workaround you can use is the PATCH method on the user object:

PATCH http://localhost:9011/api/user/<user-id> { "user": { "skipVerification": true, "email": "admin@email", "passwordChangeRequired": false, "username": "admin", "password": "....." } }

My understanding is that if I were to use resource-owner-password-credentials grant, then I would be passing client credentials to FusionAuth from my backend. While doing so, I find that all client logins are occurring from the same backend IP address. Is there a way to log the real client IP rather than my backend IP?

For example, the /api/identity-provider/login endpoint that we use to do social logins allows passing an ipAddress parameter. Is there something similar for the /oauth2/token endpoint?

Can you explain a bit more @civaxox259 ?

Hiya,

I was able to successfully decode a JWT. From reviewing this thread, I think maybe the issue is that you are using the wrong secret. It seems like you might have accidentally been using the id of the signing key '1c8e490a-4972-7d73-8935-06621a0a6441' instead of the actual secret key.

Here's how I found my secret key:

go to settings go to keymaster click on the green magnifying glass icon to view the default key click on click here to see the secret.

My secret looked something like this: n0EfufcUAuYM6199G3ffRp+YUVMPodabtlI/wT8oBYc=.

Can you try validating your JWT with the secret found through those steps and let me know how it goes?

Ah, great. So unfortunately, since this feature request is open, the functionality hasn't been built yet, but is on the roadmap. Here are your options to influence the roadmap:

https://fusionauth.io/community/forum/topic/172/the-fusionauth-roadmap

You can put this in the Default subject section of the Passwordless email template:

[#setting time_zone = (user.timezone)!"NZ/Auckland"] [#setting time_format = "h:mm a"] Expires at: ${((.now?date?long + timeToLive * 1000)?number_to_time)?string}

You need to make sure that each user has a valid timezone, and you'll need to sync the timeToLive value with the passwordless login time to live in seconds tenant setting, until https://github.com/FusionAuth/fusionauth-issues/issues/612 is done.

If you'd like APIs to automatically log to the audit log, without additional calls to the Audit Log API, please vote for this issue: https://github.com/FusionAuth/fusionauth-issues/issues/507

I think you want skipVerification set to true.

From the docs:

Whether or not email verification should be skipped or not. In some cases, you might want to verify User’s emails and in other cases you won’t. This flag controls that behavior.

I solved it by myself with a lambda function:

Create a lambda with type JWT populate Add the following code: function populate(jwt, user, registration) { preferredLanguages = user.preferredLanguages; if(preferredLanguages === null || preferredLanguages === undefined || preferredLanguages.length === 0) { return; } // set first preferred language to jwt jwt.locale = user.preferredLanguages[0]; // set zoneinfo to jwt jwt.zoneinfo = user.timezone; }

Finally, in your application settings click on JWT and set your lambda function to Access token populate lambda.

I'd start at https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html and read the reference documentation.

HTH.

Hiya,

If you are using the elasticsearch search engine, you can use the admin UI and then see the elasticsearch string you'd need to set the queryString to in order to run the same search. This is the API which takes the `queryString: https://fusionauth.io/docs/v1/tech/apis/users#search-for-users

a Retrieving List of all users for a specific tenant

queryString = tenantId:64c1844b-04ef-4bc8-b4ea-3d8bf2e586e9 (or whatever your tenantId is)

b Retrieving List of all users within a specific application for a particular tenant

In this case you need to use a raw JSON query, which will be passed through to elasticsearch:

{ "bool" : { "must" : [ { "nested" : { "path" : "registrations", "query" : { "bool" : { "must" : [ { "match" : { "registrations.applicationId" : "c6b9de0c-2f71-4019-920b-58bc2d4206fc" } } ] } } } }, { "query_string" : { "query" : "tenantId:32306536-3036-6431-3865-646430303332" } } ] } }

(again, set your tenantId and applicationId.)

Note that you can't use the query JSON if you are using the database search engine. Here's how to switch between them: https://fusionauth.io/docs/v1/tech/tutorials/switch-search-engines

This data is required by us to create a management portal for both super admin who manages all the tenants/applications related information and for individual tenant admins who manages their own users and their related information.

You can build your own management portal, for sure. An alternative you may consider is creating FusionAuth users that have access to the FusionAuth application, but with limited permissions. That may or may not work for you, but you may want to evaluate it if you haven't had a chance (there are a number of predefined roles).

Hmmm.

Here's an issue tracking digitalocean database issues--some managed databases don't work right now: https://github.com/FusionAuth/fusionauth-issues/issues/95

The number of open connections should be around 10. I believe that is per fusionauth instance.

What were the specs you were seeing the issues with?

what version of fusionauth how many pods running it what version of postgres what size were the pods (in terms of memory and CPU) what are the replication steps to trigger the negative performance impacts

We've seen FusionAuth (the application) run in 64M of RAM. You can specify the maximum amount of memory used in the configuration file or via environment args. More here: https://fusionauth.io/docs/v1/tech/reference/configuration

Note that if you don't need advanced search functionality, you can use the database search engine and avoid running elasticsearch: https://fusionauth.io/docs/v1/tech/tutorials/switch-search-engines talks about how to switch between them. That may eliminate some of the memory pressure if you were running elastic.

There are many using FusionAuth in this manner, we don't currently offer any specific documentation on integrating with API Gateways.

I would love to have this documentation at some point, however as far as I know most if not all of the options I've seen have a fairly standard integration using a JWT.

Once you know what the Gateway such as Kong is looking for in the JWT to perform authorization you can use the JWT populate lambda to ensure the JWT has everything you need.

https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate
https://fusionauth.io/docs/v1/tech/oauth/tokens

Hope that helps!

Yup, sticky sessions is the answer! Glad you were able to sort this out.

Hi,

If you are just using OAuth, I'd follow this tutorial from Microsoft: https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions/using-oauth-providers-with-mvc

You can use OAuth with FusionAuth without using the client libraries at all. It's only when you need to call APIs outside of OAuth that you'll need the API key and the client libraries.

Let me know if that helps!

So there are a number of ways to approach this, but they'll all require you to write some code.

I don't know your current system or skillset, but this is how I'd do it:

have someone sign up to create a club in an application in the default tenant. create the tenant, but no users in the tenant. You could set defaults as needed. verify they are a real club (in whatever way you desire) on verification, add an application and a user account based on the account in the default teannt. Notify the user via email that their club account is now available. users can then sign in to the created application in the new tenant.

If you need the ability to deactivate the tenant, I'd write a script that deactivates all applications within a tenant and possibly deactivates the user in the default tenant. Note that when a user can't log in to an application, you may have to check carefully for an HTTP status, see more here.

Is there a way to customize the login process to check other conditions besides the credentials, in this case the 'verified' attribute?

If you are using the login API, you can check any number of items on the user or other objects, but you have to build your own pages. If you are using the OAuth grants or the provided login pages, there are no customizations like you suggest available. Please feel free to file a github issue with details of how you'd like this feature to work.

Hope this helps.

Hiya,

I see a method that looks useful: ExchangeOAuthCodeForAccessToken in this file:

https://github.com/FusionAuth/fusionauth-csharp-client/blob/master/src/main/csharp/FusionAuthClient.cs

Looks like it was released in version 1.12.0. What version are you using?

At this point, after the login process, do I have to apply for the token again with username and password? if I want to access the token from API?

When you get the access token, you can then present it to whatever needs to verify the user is logged in. If you enable refresh tokens, you can store that off and present it for a new access token without the user logging in again. Check out this post about how the authorization code grant works for more details.

.net core doesn't work with older frameworks of asp.net(4.5.2.) installation error.

I filed an issue about that. Not sure we can fix it, since ASP.NET 4.5.2 is over 5 years old, but at least we can take a look.