I am not able to execute update user APIs, it is giving 403 everytime.

aman

I am not able to execute update user APIs via postman in fusionAuth, it is giving 403 every time AND get user is working fine. looks like something permission-related changes were done in the latest fusionAuth version.
In earlier version, I was able to execute update user API using the API key.
However API key which I am using is Super users API key. Attaching the API key page screenshot.
Could someone guide me, How can I execute FusionAuth update API via postman.

joshua

@aman

Can you include the URL / endpoint you are trying to hit?

It might be most helpful to include the postman request. If you hit "console" at the bottom of the postman client it will list the complete request. You can obfuscate any sensitive information as needed.

Thanks,
Josh

aman

Thanks @joshua for reply.

this GET request is returning the expected user data.

GET https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c
Header: authorization : <auth_key>

but update user API with same auth_key returning 403 status.
PUT https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c
Header: authorization : <auth_key>

joshua

No problem @aman!

I might need a bit more of the request to accurately diagnose, but what you have provided so far is helpful.

Can you confirm if anything changes if you change to a patch request (put replaces everything, patch updates select attributes at that endpoint)? Or/And add an X-FusionAuth-TenantId to the headers field?

Thanks,
Josh

aman

Thanks @joshua for suggestions.

PATCH https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c API is giving same 403.

Tried with tenant id "x-fusionauth-tenantid: 74995927-1234-5678-9012-07b593cdcbd1" and API is giving same 403.

FYI, this put API was working in lower FusionAuth version 1.6.1 but recently I have upgraded to FusionAuth version 1.25.0. So same API giving 403 on new version.
They changed something in new version, it looks like they added some security feature on post/put/patch API. and GET API is working same as earlier.

joshua

@aman

Updating the user worked for me. The next troubleshooting step would be to review your CORS configuration. Are you allowing a PUT / PATCH through? Are your Allowed origins/etc setup correctly?

You can check this by navigating to Settings > System > CORS tab. CORS can be tricky but that could be the source of your issue.

If you enable debug, you should see some helpful information in the System > Event Log or System. > Logs

https://fusionauth.io/docs/v1/tech/reference/cors/

Let me know if that helps!

Thanks,
Josh

joshua

You could even start by disabling the CORS filter just to narrow it down initially to a root cause.

aman

@joshua it works.
Thank you so much for your support.

joshua

@aman

Glad, you got it working!

Remember that CORS is a powerful tool. It's best to keep it enabled, once you nail down your configuration.

Thanks,
Josh