FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. akira
    A
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 13
    • Best 0
    • Controversial 0
    • Groups 1

    akira

    @akira

    0
    Reputation
    3
    Profile views
    13
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    akira Unfollow Follow
    administrators

    Latest posts made by akira

    • RE: If I can decode a JWT, then how are they secure?

      Good question.

      JWTs are either signed or encrypted. For the most part, you will encounter signed JWTs. When a JWT is created by an authorization server, it is signed. The signature essentially functions as a way to say "this payload has been signed using this algorithm. If the payload is different than what was signed, then this JWT is invalid." It is important to not pass sensitive data in a JWT payload for the reason that it can be viewed, but if a malicious actor tries to tamper with the JWT, the signature will no longer match it, and it will be invalid.

      posted in Q&A
      A
      akira
    • If I can decode a JWT, then how are they secure?

      FusionAuth issues a lot of JWTs. But since I can grab any JWT from the browser and decode it using a JWT debugger, how could this be considered secure?

      posted in Q&A
      A
      akira
    • RE: What are the different servers called in an OAuth flow?

      The server that issues and signs the JWT is called the Authorization Server. This is what FusionAuth is, as we issue and sign the JWTs which are then presented to other servers via API calls.

      The servers that are connected to resources that a user is trying to access by first authenticating with a JWT are called Resource Servers.

      So, for example, if you have a ToDo app, where a user is trying to access a list of ToDo items, the user would first authenticate with the external IdP. Then the JWT is issued by that IdP, passed to the client, and then the client would present that JWT to the resource server to gain access to the ToDo items.

      For what it's worth, in SAML the auth server coincides with the IdP, and the resource server coincides with the Relying Party.

      posted in Q&A
      A
      akira
    • What are the different servers called in an OAuth flow?

      I want to know what the different servers involved are called in the OAuth flow using JWTs. I know one of the servers issues the JWT, and the other server validates the JWT, but I don't know what these servers are named. Can you tell me?

      posted in Q&A
      A
      akira
    • RE: Apple SignIn Issue

      Hi @ivona, thank you for writing in!

      Can you let me know of any output in the error event log for both OAuth and apple config? This may help to troubleshoot this issue.

      In the meantime, please feel free to take a look at some of our similar, Apple-related posts on our forum. Here are a couple of posts that may prove useful:

      https://fusionauth.io/community/forum/topic/752/not-able-to-login-with-apple-id/6
      https://fusionauth.io/community/forum/topic/752/not-able-to-login-with-apple-id

      In the meantime I will dig further into this issue on my end and see if I can reproduce it.

      Talk soon,

      Akira

      posted in Q&A
      A
      akira
    • RE: How to trigger user.email.verified webhook when user clicks the link in their email

      Hi @travis-milum, thanks for writing in!

      I'm curious what version of FusionAuth are you using? That may help clear some of this up.

      Please let me know, thank you!

      Akira

      posted in General Discussion
      A
      akira
    • RE: Awkward OAuth logout in mobile app

      Hi @elliotdickison, thanks for writing in!

      I'll answer your questions one at a time here:

      Are we doing something really wrong, or is this a reasonable issue to be facing?

      • You aren't doing anything wrong. By default, FusionAuth logs out of all applications that are configured with SSO. There are some detailed guides on how this happens here and here.

      Is there a way to revoke the SSO session with an API call, or is the GET request essential for clearing cookies?

      • You can potentially configure the Logout URL in your code to only end the session for the one particular application, and not redirect to a global /endsession endpoint. There is no way to revoke the SSO session without the GET request, as we need to remove the cookies. I supposed we could provide an API to kill the session, but we don't have that. Please feel free to file an issue with this request.

      If the GET request is essential, is there a way we can get FusionAuth to show some sort of "Logout successful" message before redirecting so opening the browser doesn't feel pointless from a UX perspective?

      • We don't have a 'logout successful' message at this time, but my suggestion would be to do a redirect to a custom /logoutsuccessful view before closing the browser window.

      I hope this helps, please let me know if there is anything else I can do!

      posted in Q&A
      A
      akira
    • RE: Configuration Fails

      Hi @reece-temple,

      Can you confirm you created the My-Sql database when you created your Digital Ocean droplet?

      If you have any screenshots of error messages that you are seeing either on your browser or your command line, that would help as well.

      Thank you!

      Akira

      posted in Comments & Feedback
      A
      akira
    • RE: Configuration Fails

      Hi @reece-temple ,

      Welcome to the community! I am glad you are here.

      For some context as to why you may be seeing this; we don't ship the mysql driver, but instead download it at first use, due to licensing issues. Sometimes there are file permission issues when we try to write it, or there is no outbound network access.

      As to a fix, can you confirm a couple of things? This will help me diagnose the problem.

      1. Are you connected to the internet via the FusionAuth server?
      2. Where is your .jar file?
      3. Are you receiving an error in your log that begins with 'Error: An attempt to download the MySQL connector jar failed.' ?

      I also found a related thread on a similar issue here if that could be helpful.

      -Akira

      posted in Comments & Feedback
      A
      akira
    • RE: Validating User Registration Fields while entering information before POST

      Hi @aaron,

      Thanks for writing in!

      There are a couple of options.

      If you are hoping to customize messages your users may see when registering via the configuration screen of your FusionAuth backend, you can find in-depth instructions on how to do so here.

      If you are looking to modify the messages to your users in these form fields using an API, you can go here for some in-depth instructions on how to do that. (see: modifying the messages file).

      This will allow you to customize the messages the user receives when a form field is incorrectly filled out or skipped.

      FWIW, if you are on our paid versions, we offer another layer of password validation using breached password detection. You can find more information on that here.

      Please let me know if this helps!

      posted in Q&A
      A
      akira