I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

dan
@dan
Head of Developer Relations at FusionAuth.
Enjoys ruby, java, php. Finds golang challenging.
Likes the authorization code grant, automation, stories and clear documentation.
Hiker, camper, gardener. Used to have chickens, now just tomatos.
Best posts made by dan
-
Is there a way to update user data in the UI?
-
Can I configure the inactivity timeout of the FusionAuth Session cookie?
I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?
-
Terraform provider for FusionAuth released
There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth
It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest
-
RE: Block authentication until user is verified?
Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?
Within a lambda, you have access to the user and registration properties. So you'd pull the
verified
property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.
Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.
- user registers
- JWT issued, with
verified
set tofalse
because the user isn't verified. - User verifies their email
- User visits API, but is denied because the JWT has stale data.
I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?
-
RE: My JWKS are always empty
Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:
returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format
If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.
-
RE: Implementing a Role-Based Access System for Authorization
Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.
Here's a response I get after logging in:
{ "token": "ey...", "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "email": "email@example.com", "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006", "insertInstant": 1592857899119, "lastLoginInstant": 1596819645662, "lastUpdateInstant": 0, "passwordChangeRequired": false, "passwordLastUpdateInstant": 1592857899145, "registrations": [ { "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355", "id": "73d2317b-d196-4315-aba2-3c205ed3ccae", "insertInstant": 1592857899151, "lastLoginInstant": 1592857899153, "lastUpdateInstant": 1596813810104, "roles": [ "Role1" ], "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4", "twoFactorDelivery": "None", "twoFactorEnabled": false, "usernameStatus": "ACTIVE", "verified": true } }
So
user.applicationId.roles
is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups -
RE: Trouble getting the user object post login
OK, we just released 1.18.8 and that is the version you want to use:
In
requirements.txt
:fusionauth-client==1.18.8
And then this is the call you want to make (with
client_id
beforeredirect_uri
) :resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)
-
RE: Can I run FusionAuth in Heroku?
There is no official support for Heroku at this time. Follow along on this issue (and vote it up if this is important to you) if you'd like to know when such support happens.
However, there is a community supported project with a "Deploy to Heroku" button. This is provided and tested by a community member.
Latest posts made by dan
-
RE: Seeing "alternativeLogins" error
Make sure you are running 1.47.1. If you are using docker, you might need to run
docker pull
to get the latest version.There's also information in the release notes about how to modify a customized theme:
Due to the necessary change related to adding a CSRF token when performing a federated login, a manual change may be required to your themed login pages. Please read through these details to understand if you will be affected.
If you are using any 3rd party IdP configurations such as OpenID Connect, SAML v2, Google, Facebook with a custom theme, you will need to make a modification to your template in order for federated login to continue to work correctly.
If you are not using any 3rd party IdP configurations, or you are not using a custom theme, no change will be necessary.
If you will be affected by this change, please review the following details and then make the update to your theme as part of your upgrade process.
... -
Seeing "alternativeLogins" error
I see this error:
A FreeMarker exception occurred. Exception: FreeMarker template error: Macro "alternativeLogins" has no parameter with name "federatedCSRFToken". Valid parameter names are: clientId, identityProviders, passwordlessEnabled, bootstrapWebauthnEnabled, idpRedirectState ---- FTL stack trace ("~" means nesting-related): - Failed at: @helpers.alternativeLogins clientId=c... [in template "##aa55aab6-11df-4f3d-b2cf-4b0da5f42780##templates/oauth2/authorize.ftl" at line 114, column 7] ~ Reached through: #nested [in template "##aa55aab6-11df-4f3d-b2cf-4b0da5f42780##templates/_helpers.ftl" in macro "main" at line 201, column 11]
I'm on FusionAuth 1.47. What can I do to troubleshoot it.
-
RE: Passing data from login form to webhook
There is no official way to do this but you can overload one of the custom fields as outlined here.
Here's sample code to do this, assuming that the parameter you want to track is
registrationCode
.<script> const queryString = window.location.search; let urlParams = new URLSearchParams(queryString); const registrationCode = urlParams.get('registrationCode'); if (registrationCode) { console.log('New query string found of '+ registrationCode); let input = document.querySelector('.customParam'); input.setAttribute('value', 'registrationCode = ' + registrationCode); console.log(input.type, input.name, input.value); } </script>
Then, in the login form, you want to make sure you have this input field:
<input class="customParam" type="hidden" name="metaData.device.description"/>
The value of
metaData.device.description
in the webhook event will be the value of theregistrationCode
parameter. -
Passing data from login form to webhook
I have a URL param on the login page that I want to pass to a login success webhook handler.
How can I do so?
-
RE: How can I know how many of my users are using different login methods?
As of right now, you can grab all your users via this script:
And then run this script to give you stats on the links each user has:
https://github.com/FusionAuth/fusionauth-example-scripts/blob/master/full-user-search/ssostats.sh
You may need to edit the latter script if you want to get insight into different identity providers. Look up each identity provide Id via the API or admin UI and update the
if
clauses to increment the appropriate variable. -
How can I know how many of my users are using different login methods?
I have multiple identity providers enabled for FusionAuth (Facebook, Google, etc).
How can I know how many users are using each of these, vs a username and password?
-
RE: How do I verify a token with the cloudflare-worker-jwt library
Here's a more full featured implementation:
import jwt from '@tsndr/cloudflare-worker-jwt'; import dev_jwks from './jwks/dev.json'; function authenticate(handler) { return async function (request, response) { let headers = request.headers; if (!headers.has("Authorization")) { return json_error(401, "No Auth header present"); } let auth_header = headers.get("Authorization"); if (auth_header.indexOf("Bearer ") !== 0) { return json_error(403, "Bad auth header"); } let token = auth_header.slice(7); let verified = await jwt.verify(token, dev_jwks.keys[0], {algorithm: "RS256"}); if (!verified) { return json_error(403, "Bad auth token"); } try { token = jwt.decode(token); } catch (e) { return json_error(403, "Unable to decode token"); } let { header: meta, payload } = token; // TODO: inspect the payload of the jwt return await handler(request, response); }; }
where
json_error
is an error handler function outside the scope of this example and the JWKS file is downloaded and put into'./jwks/dev.json'
and the key is known to exist in the first entry in that array.A more sophisticated version would examine the key id from the token header and find the corresponding public key in the the JWKS array.
-
RE: How do I verify a token with the cloudflare-worker-jwt library
You have to do a few things:
- download the JWKS file yourself (here's info on where to find it)
- select the key
- specify the algorithm (the library doesn't examine the header of the token to determine the algorithm)
So here's what it might look like:
let verification = await jwt.verify(token, jwks.keys[0], {algorithm: "RS256"});
-
How do I verify a token with the cloudflare-worker-jwt library
I want to use a token signed by FusionAuth with an RS256 key with this library: https://github.com/tsndr/cloudflare-worker-jwt
But it doesn't say it works with JWKS (it implies it).
How can I do this?