Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. Tags
    3. jwt
    Log in to post
    • All categories
    • dan

      UNSOLVED When and how should I validate a JWT issued by FusionAuth?
      Q&A • jwt validation • • dan

      2
      0
      Votes
      2
      Posts
      24
      Views

      dan

      Validating the token on every new connection is considered best practice as it is the most secure.

      There are two ways to validate a token. You can do it within your own application code leveraging a library that checks the signature and validates the claims (this only works when you sign your JWTs with a public key). Or you can do it by calling out to FusionAuth, and then validating the claims. For scalability/simplicity reasons, we recommend using the library unless there are reasons it won't work

      By doing this server side using a library you no longer need to make the API call to FusionAuth to perform the validation. You would only need the public key of whichever signing key was used by FusionAuth. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master#overview The public key is available via JWKS.

      When using keys we also recommend you think about key rotation, explained in more detail here: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation

      If you decide on leveraging the endpoints (making a call to FusionAuth) for validation, here are a couple links that can be used depending on your scenario.

      https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwt (proprietary)
      https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo (part of the OIDC standard)

      In both cases, you must validate the claims. Some are standard, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/anatomy-of-jwt#claims-to-verify

      But there may be app specific custom claims your code should verify too.

    • dan

      How can I pass info from a external identity provider to a JWT in FusionAuth
      Q&A • jwt identity provider customization • • dan

      2
      0
      Votes
      2
      Posts
      68
      Views

      dan

      The way to do this is to use the user.data or registration.data objects as a transfer mechanism.

      If you are using OIDC (SAML is much the same, but I'll use OIDC as an example), you can create a OIDC Reconcile Lambda. It might look like this:

      // Using the JWT returned from UserInfo, reconcile the User and User Registration. function reconcile(user, registration, jwt) { user.data.favoriteColor = jwt.favoriteColor; }

      So the jwt in this case is that returned from the OIDC identity provider. We store the data in user.data.

      Now we need to pull it off of the user.data object using a JWT populate lambda. That might look a little something like this:

      // Using the user and registration parameters add additional values to the jwt object. function populate(jwt, user, registration) { jwt.favoriteColor = user.data.favoriteColor; }

      favoriteColor is now available as a claim in the JWT produced by FusionAuth.

      Don't forget to assign your lambdas to the correct operations. The OIDC Identity provider needs to be configured with the reconcile lambda. The application's JWT tab is the right place to configure the use of the JWT populate lambda.

      More information on all the lambda options available here: https://fusionauth.io/docs/v1/tech/lambdas/

    • dan

      Do you support adding headers to the fusionauth generated jwt
      Q&A • jwt header • • dan

      2
      0
      Votes
      2
      Posts
      58
      Views

      dan

      No, FusionAuth doesn't support adding JWT headers to FusionAuth generated JWTs. I looked at the code and don't think it'd be a ton of work to add support; there's already some scaffolding in the fusionauth-jwt OSS project.

      I highly encourage anyone with this problem to file a feature request here with more details about your needs: https://github.com/fusionauth/fusionauth-issues/issues

      We consult that in our roadmap planning. We also offer professional services if you need us to build it on a schedule. Please send a request to our sales department if that is an option you'd like to pursue.

      An alternative would be to build a service that would re-sign your JWTs from FusionAuth with the needed header changes. Not optimal, I understand, but another avenue that might get you what you need.

    • dan

      Getting error with OIDC identity provider
      Q&A • oidc jwt userinfo • • dan

      2
      0
      Votes
      2
      Posts
      53
      Views

      dan

      That is an encoded (signed) JWT being sent in response to the user info request that the FusionAuth OIDC identity provider is making.

      This is technically allowed in the OIDC spec, but we do not currently support this response type.

      Per spec, the endpoint should support a JSON response which is the default unless the client requests a signed or encrypted response body.

      I would look at how your client is registered and see if it is asking for a JWT userinfo response at that time, and change it to be a normal JSON response. You could also file an issue detailing your needs for FusionAuth to support this user info response type.

      If that isn't an option, you could also look at using a SAML Identity Provider if the remote identity source supports that.

    • dan

      Can you store JWTs in session cookies
      Q&A • jwt sessions cookies • • dan

      2
      0
      Votes
      2
      Posts
      73
      Views

      dan

      Yes. You can use the Authorization Code grant with cookies. Here is a workflow diagram of this: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-jwts-refresh-tokens-cookies/

    • dan

      Revoking access tokens
      Q&A • jwt token revocation • • dan

      2
      0
      Votes
      2
      Posts
      150
      Views

      dan

      No, those tokens are completely de-coupled from FusionAuth (in a fundamental way, that is the point of those tokens).

      There are revocation strategies however, but they require some additional work.

      Here is one strategy we have documented: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts/

    • dan

      Should I validate my JWTs with FusionAuth or locally?
      Q&A • jwt validation • • dan

      2
      0
      Votes
      2
      Posts
      73
      Views

      dan

      You should always validate your JWT locally.

      As outlined in this doc, you need to make sure, at a minimum, that the aud, roles, and iss claims are as expected, and that can only be done by looking at a JWT and examining those claims. If you use a library that supports JWKS, doing this should be super simple.

      Note that the FusionAuth API endpoint validates JWTs at a basic level. It ensures that the JWT hasn't expired and that it was signed correctly.

      The reasons to use the API endpoint are:

      If you have an HMAC signed JWT and you don't want to share the secret with the JWT consumer If you have no JWT library that is available (whether because it hasn't been written, or you don't want to deploy it with your application) You are willing to accept a network call instead of loading up a such a library
    • K

      fusionauth-example-asp-netcore: Malformed client_id
      Q&A • dotnet docker error jwt cookies • • kwatters

      3
      0
      Votes
      3
      Posts
      76
      Views

      dan

      That's great to hear, glad you figured it out!

    • dan

      Validation of signed JWTs in an offline manner
      Q&A • jwt validation • • dan

      2
      0
      Votes
      2
      Posts
      208
      Views

      dan

      If you want to skip calling FusionAuth for each of these validation events, you can validate the JWT on your end without a network call.

      If you configure a key pair (public + private) to sign your JWT, then the public key will be available in the JWKS. Many libraries exist that will validate JWTs using JWKS.

      https://fusionauth.io/docs/v1/tech/oauth/endpoints/#openid-configuration
      https://fusionauth.io/docs/v1/tech/oauth/endpoints/#json-web-key-set-jwks

    • dan

      Different JWT expiration times based on how they are generated
      Q&A • jwt expiration api oidc • • dan

      2
      0
      Votes
      2
      Posts
      59
      Views

      dan

      The JWT TTL can be configured per application, so if you were using a different application for OIDC vs an API - then you could do it.

      But if you don't want to use multiple applications, then it is not possible, at least currently.

      I could see a use case for asking for a JWT with a TTL equal to or less than the configuration and that request being honored, that could be a feature request. But as of right now, the only option is different applications.

    • A

      Token type?
      Q&A • jwt access tokens python fusionauth • • AliMirlou

      3
      0
      Votes
      3
      Posts
      75
      Views

      A

      Seems like the library I used is opinionated. Thanks for the hints.

    • dan

      Are FusionAuth access tokens always JWTs?
      Q&A • jwt access tokens • • dan

      2
      0
      Votes
      2
      Posts
      33
      Views

      dan

      Yes. While OAuth2 access tokens aren't guaranteed by the spec to be JSON web tokens, in FusionAuth access tokens are always JWTs.

    • dan

      Anonymous tokens
      Q&A • anonymous jwt • • dan

      2
      0
      Votes
      2
      Posts
      137
      Views

      dan

      Not currently.

      You could create a single user called anonymous and auth that user to get a generic token.

      There is an open issue for a more elegant solution; feel free to upvote it: https://github.com/FusionAuth/fusionauth-issues/issues/525

    • dan

      When migrating, what happens to our existing tokens
      Q&A • migration jwt • • dan

      2
      0
      Votes
      2
      Posts
      34
      Views

      dan

      This depends on how the JWT was signs, but is probably fine, especially if JWTs are only used in APIs. It's very typical to want to ensure that existing JWTs are accepted as long as they haven’t expired. You'll also need to ensure that new JWTs from FusionAuth are also accepted.

      So this is really a question of making sure the JWT producers and consumers have the correct signing secrets.

      You can solve this by sharing the secrets between the old system and FusionAuth (check out the Keymaster to import existing keys or making sure your clients can look up the keys from a JWKS endpoint from both the old and the new system.

    • dan

      Token difference when account hasn't been verified
      Q&A • email verification jwt • • dan

      2
      0
      Votes
      2
      Posts
      35
      Views

      dan

      The JWT (id_token or access_token) will contain the email_verified claim with a value of true or false, so if you wish to limit privilege based upon this state, that would be a good way to do it.

    • dan

      Can we use FA as a SSO provider for another platform?
      Q&A • sso jwt • • dan

      4
      0
      Votes
      4
      Posts
      7010
      Views

      dan

      You’re correct. That is not a standard redirect URL. You could easily build some glue code to to look like an OpenID Connect compliant SP and then handle the redirect yourself. I am not super familiar with some of the OpenID Connect server options, but something like Hydra may be useful here. Perhaps some others from the community here can help with off the shelf options if you don’t want to code it yourself.

      But coding it yourself may be the easiest, if you coded it in Node or something like that, it would be super simple, you’d have FusionAuth redirect to your node app and then you’d redirect to the video platform.

    • dan

      I want to pass the locale and timezone info to apps via a JWT
      Q&A • jwt timezone locale • • dan

      3
      0
      Votes
      3
      Posts
      360
      Views

      dan

      There's additional localization and internationalization doc that was written recently here: https://fusionauth.io/docs/v1/tech/core-concepts/localization-and-internationalization/

    • dan

      SOLVED Can I automatically rotate my JWT signing keys?
      Q&A • jwt keys rotation • • dan

      3
      0
      Votes
      3
      Posts
      87
      Views

      dan

      The team wrote a tutorial outlining how to rotate keys, including signing keys: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation/

    • S

      UNSOLVED Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?
      Q&A • security jwt • • szwejkc

      2
      0
      Votes
      2
      Posts
      36
      Views

      dan

      Hiya,

      When you say

      Everybody can see authorization key.

      Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?

    • dan

      SOLVED How does one add custom claims to the JWT issued by the OAuth flow?
      Q&A • claims jwt oauth • • dan

      2
      0
      Votes
      2
      Posts
      330
      Views

      dan

      In general you are going to want to use a Lambda to populate additional claims: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate

      This issue has some notes about Hasura in particular: https://github.com/FusionAuth/fusionauth-issues/issues/61