FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Tags
    3. authorization
    Log in to post
    • All categories
    • A

      Unsolved "Invalid Authorization Code" while implementing the Authorization Code Flow with Proof Key for Code Exchange (PKCE)

      Q&A
      • oauth pkce authorization • • apeksha.barhanpur
      3
      0
      Votes
      3
      Posts
      2.8k
      Views

      A

      @dan

      I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.

      Thanks.

    • M

      error 401 depends on API Key settings

      Comments & Feedback
      • api authorization settings • • muravyov.alexey
      3
      0
      Votes
      3
      Posts
      4.5k
      Views

      M

      I tried with all HTTP methods enabled for /api/user only, and it update user successfully.
      But if I tried only with GET and PATCH methods enabled for /api/user , I get 'statusCode=401'.
      Here is code

      import { FusionAuthClient, UserRequest } from '@fusionauth/typescript-client' ... export class FusionAuthService { private fusionAuthClient: FusionAuthClient; constructor(private context: Context) { this.fusionAuthClient = new FusionAuthClient(context.config.fusionAuth.apiKey, context.config.fusionAuth.apiUrl); } ... public async updateUser(userId: string, userRequest: UserRequest ) { return this.fusionAuthClient.updateUser(userId, userRequest) .then(clientResponse => { logger.info("User:", JSON.stringify(clientResponse.response.user, null, 2)); }).catch(logger.error); }

      here is invocation of updateUser method that happens on 'user.registration.create' event

      if (user) { const patchBody = { user: { email: event.user.email, data: { userId: user.id } }, } await this.fusionAuthService.updateUser(event.user.id, patchBody); }

      Now I understand that I use updateUser method and I don't know what kind of HTTP request it used.
      I have found patchUser and with it get success.

      Thanks for your help.

    • danD

      Additional resources for identity

      Q&A
      • authentication authorization resources • • dan
      2
      0
      Votes
      2
      Posts
      723
      Views

      danD

      I have enjoyed these books:

      https://www.manning.com/books/oauth-2-in-action very specific to OAuth, lots of code)

      https://www.apress.com/gp/book/9781484250945 More focused on bigger identity strategies and problems.

      Also, the IDPro body of knowledge is free and useful:

      https://idpro.org/body-of-knowledge/

    • danD

      Can I get permissions granted to a user against an Entity in an OAuth grant

      Q&A
      • entities authorization code grant • • dan
      3
      0
      Votes
      3
      Posts
      4.7k
      Views

      danD

      The ability to search grants for a user was a gap in our documentation. We have since released an update to showcase/describe the use case.

      https://fusionauth.io/docs/v1/tech/apis/entity-management/grants/#search-for-grants

      Your API endpoint call will look like below:

      GET /api/entity/grant/search?userId={uuid}

      Additional possible filtering functionality is documented in this feature request.

    • danD

      Length of time for authorization code

      Q&A
      • authorization code grant lifetime duration • • dan
      2
      0
      Votes
      2
      Posts
      1.6k
      Views

      danD

      It's configurable. If you go to the tenant details page, then to the Advanced tab, you'll see the setting there; it's called Authorization Code. It's also documented in the tenant API, search for tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds here: https://fusionauth.io/docs/v1/tech/apis/tenants

      Looks like valid durations are between 1 and 600 seconds.

    • danD

      Solved Does anyone have recommendations on how services should authenticate to apps that use FA?

      Q&A
      • api authorization oauth • • dan
      2
      0
      Votes
      2
      Posts
      8.2k
      Views

      danD

      This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.

      Other options: you could look into a third party api management solution (as mentioned here).

      Could you use longer lived JWTs but then a webhook to revoke them, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts ?

      You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.