I am not able to execute update user APIs, it is giving 403 everytime.
-
I am not able to execute update user APIs via postman in fusionAuth, it is giving 403 every time AND get user is working fine. looks like something permission-related changes were done in the latest fusionAuth version.
In earlier version, I was able to execute update user API using the API key.
However API key which I am using is Super users API key. Attaching the API key page screenshot.
Could someone guide me, How can I execute FusionAuth update API via postman.
-
Can you include the URL / endpoint you are trying to hit?
It might be most helpful to include the postman request. If you hit "console" at the bottom of the postman client it will list the complete request. You can obfuscate any sensitive information as needed.
Thanks,
Josh -
Thanks @joshua for reply.
this GET request is returning the expected user data.
GET https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c
Header: authorization : <auth_key>but update user API with same auth_key returning 403 status.
PUT https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c
Header: authorization : <auth_key> -
No problem @aman!
I might need a bit more of the request to accurately diagnose, but what you have provided so far is helpful.
Can you confirm if anything changes if you change to a
patch
request (put
replaces everything,patch
updates select attributes at that endpoint)? Or/And add anX-FusionAuth-TenantId
to the headers field?Thanks,
Josh -
Thanks @joshua for suggestions.
PATCH https://<domain>/api/user/45e489ac-2d80-4f34-9fb7-82743ba70a0c API is giving same 403.
Tried with tenant id "x-fusionauth-tenantid: 74995927-1234-5678-9012-07b593cdcbd1" and API is giving same 403.
FYI, this put API was working in lower FusionAuth version 1.6.1 but recently I have upgraded to FusionAuth version 1.25.0. So same API giving 403 on new version.
They changed something in new version, it looks like they added some security feature on post/put/patch API. and GET API is working same as earlier. -
Updating the user worked for me. The next troubleshooting step would be to review your CORS configuration. Are you allowing a PUT / PATCH through? Are your Allowed origins/etc setup correctly?
You can check this by navigating to
Settings > System > CORS tab
. CORS can be tricky but that could be the source of your issue.If you enable debug, you should see some helpful information in the
System > Event Log
orSystem. > Logs
https://fusionauth.io/docs/v1/tech/reference/cors/
Let me know if that helps!
Thanks,
Josh -
You could even start by disabling the CORS filter just to narrow it down initially to a root cause.
-
@joshua it works.
Thank you so much for your support. -
Glad, you got it working!
Remember that CORS is a powerful tool. It's best to keep it enabled, once you nail down your configuration.
Thanks,
Josh