Is there a way to update user data in the UI?

I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

https://fusionauth.io/blog/2021/04/01/fusionauth-introduces-simplepass/

I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?

There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth

It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest

Can you run FusionAuth in Kubernetes?

Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?

Within a lambda, you have access to the user and registration properties. So you'd pull the verified property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.

So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.

Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.

1. user registers
2. JWT issued, with verified set to false because the user isn't verified.
3. User verifies their email
4. User visits API, but is denied because the JWT has stale data.

I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?

Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:

returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format

If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.

Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.

Here's a response I get after logging in:

{
  "token": "ey...",
  "user": {
    "active": true,
    "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
    "email": "email@example.com",
    "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006",
    "insertInstant": 1592857899119,
    "lastLoginInstant": 1596819645662,
    "lastUpdateInstant": 0,
    "passwordChangeRequired": false,
    "passwordLastUpdateInstant": 1592857899145,
    "registrations": [
      {
        "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355",
        "id": "73d2317b-d196-4315-aba2-3c205ed3ccae",
        "insertInstant": 1592857899151,
        "lastLoginInstant": 1592857899153,
        "lastUpdateInstant": 1596813810104,
        "roles": [
          "Role1"
        ],
        "usernameStatus": "ACTIVE",
        "verified": true
      }
    ],
    "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4",
    "twoFactorDelivery": "None",
    "twoFactorEnabled": false,
    "usernameStatus": "ACTIVE",
    "verified": true
  }
}

So user.applicationId.roles is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups

OK, we just released 1.18.8 and that is the version you want to use:

In requirements.txt:

fusionauth-client==1.18.8

And then this is the call you want to make (with client_id before redirect_uri) :

 resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)

Hiya,

First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:

My Frontend --> My Backend --> FusionAuth API

There's no password returned from the registration API call.

If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)

The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.

Are there specific security concerns you have around your front end/back end systems that I might be missing?

This is totally possible.

You want to start by understanding FusionAuth passkey setup and the normal flow.

Then, in your application, probably using one of the client libraries, you want to do the following for a user:

• see if a user has a passkey set up, using the "retrieve a passkey" API. If this returns 0 passkeys, show the prompt.
• for the prompt, you have two options:
  • use the API/client library to start the passkey registration process from within your application directly
  • send them to the user management page to add a passkey (requires a paid license)

The right way to do the latter depends on your application needs (are you okay with a redirect) and whether or not you have at least a starter license.

For reporting on the number of users that have set up passkeys, unfortunately you have to query all your users and then pull the passkey data individually. There's no way to use the elasticsearch syntax to do the query as of yet. There's an open github issue to add that functionality.

I have an application using FusionAuth, and I want to prompt my end users to set up passkeys. Having this authentication method will improve their security and ease their future logins.

I know I can enable passkeys for FusionAuth using the community edition license, but how can I add a prompt in my application code/UI to have them set it up?

@brad sounds super frustrating.

I'll send you a message.

You should start by checking the relevant google documentation.

As of writing, this is what their doc says:

Using the email, email_verified and hd fields, you can determine if Google hosts and is authoritative for an email address. In the cases where Google is authoritative, the user is known to be the legitimate account owner, and you may skip password or other challenge methods.

Cases where Google is authoritative:

email has a @gmail.com suffix, this is a Gmail account.
email_verified is true and hd is set, this is a Google Workspace account.

Users may register for Google Accounts without using Gmail or Google Workspace. When email does not contain a @gmail.com suffix and hd is absent, Google is not authoritative and password or other challenge methods are recommended to verify the user. email_verified can also be true as Google initially verified the user when the Google account was created, however ownership of the third party email account may have since changed.

So in this case, you want to check that hd is set as well as that email_verified is true.

With FusionAuth, you can check this using a reconcile lambda and looking at the id_token:

• https://fusionauth.io/docs/extend/code/lambdas/google-reconcile
• https://fusionauth.io/docs/extend/code/lambdas/openid-connect-response-reconcile

What claims should I check when using google as an identity provider when I'm interested in making sure it is a google workspace account?

We have a docs MCP server.

This lets your MCP compatible IDE or client ask questions of all the FusionAuth docs, YouTube videos, Terraform provider, OpenAPI spec and more.

More details: https://fusionauth.io/docs/get-started/download-and-install/development/docs-mcp-server

Note that this functionality (logging in with a phone number) was delivered in 1.59.

More details here: https://fusionauth.io/blog/announcing-fusionauth-1-59

Hi FusionAuth community,

We just released a preview MCP server that allows you to control a FusionAuth instance from within any MCP client (Cursor, Claude Desktop, any agent that uses MCP, etc).

You can see the announcement blog post here: https://fusionauth.io/blog/fusionauth-mcp-server

And the GitHub repo, which includes installation instructions, is here: https://github.com/FusionAuth/fusionauth-mcp-api/

We'd love your feedback; feel free to leave it here.

See more details here: https://fusionauth.io/docs/get-started/download-and-install/docker#docker-tags

Just an FYI, as of 1.59.0, phone number verification is now fully supported in FusionAuth.

Read more here: https://fusionauth.io/docs/lifecycle/manage-users/verification/gate-accounts-until-user-phone-verified