@dan

I actually got the issue resolved, I had the PKCE configured as "Not Required". After I changed that to "Required" the flow worked as expected.

Thanks.

I tried with all HTTP methods enabled for /api/user only, and it update user successfully.
But if I tried only with GET and PATCH methods enabled for /api/user , I get 'statusCode=401'.
Here is code

import { FusionAuthClient, UserRequest } from '@fusionauth/typescript-client' ... export class FusionAuthService { private fusionAuthClient: FusionAuthClient; constructor(private context: Context) { this.fusionAuthClient = new FusionAuthClient(context.config.fusionAuth.apiKey, context.config.fusionAuth.apiUrl); } ... public async updateUser(userId: string, userRequest: UserRequest ) { return this.fusionAuthClient.updateUser(userId, userRequest) .then(clientResponse => { logger.info("User:", JSON.stringify(clientResponse.response.user, null, 2)); }).catch(logger.error); }

here is invocation of updateUser method that happens on 'user.registration.create' event

if (user) { const patchBody = { user: { email: event.user.email, data: { userId: user.id } }, } await this.fusionAuthService.updateUser(event.user.id, patchBody); }

Now I understand that I use updateUser method and I don't know what kind of HTTP request it used.
I have found patchUser and with it get success.

Thanks for your help.

I have enjoyed these books:

https://www.manning.com/books/oauth-2-in-action very specific to OAuth, lots of code)

https://www.apress.com/gp/book/9781484250945 More focused on bigger identity strategies and problems.

Also, the IDPro body of knowledge is free and useful:

https://idpro.org/body-of-knowledge/

The ability to search grants for a user was a gap in our documentation. We have since released an update to showcase/describe the use case.

https://fusionauth.io/docs/v1/tech/apis/entity-management/grants/#search-for-grants

Your API endpoint call will look like below:

GET /api/entity/grant/search?userId={uuid}

Additional possible filtering functionality is documented in this feature request.

It's configurable. If you go to the tenant details page, then to the Advanced tab, you'll see the setting there; it's called Authorization Code. It's also documented in the tenant API, search for tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds here: https://fusionauth.io/docs/v1/tech/apis/tenants

Looks like valid durations are between 1 and 600 seconds.

This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.

Other options: you could look into a third party api management solution (as mentioned here).

Could you use longer lived JWTs but then a webhook to revoke them, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts ?

You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.