I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users
dan
@dan
Head of Developer Relations at FusionAuth.
Enjoys ruby, java, php. Finds golang challenging.
Likes the authorization code grant, automation, stories and clear documentation.
Hiker, camper, gardener. Used to have chickens, now just tomatos.
Best posts made by dan
-
Is there a way to update user data in the UI?
-
Can I configure the inactivity timeout of the FusionAuth Session cookie?
I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?
-
Terraform provider for FusionAuth released
There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth
It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest
-
RE: Block authentication until user is verified?
Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?
Within a lambda, you have access to the user and registration properties. So you'd pull the
verified
property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.
Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.
- user registers
- JWT issued, with
verified
set tofalse
because the user isn't verified. - User verifies their email
- User visits API, but is denied because the JWT has stale data.
I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?
-
RE: My JWKS are always empty
Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:
returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format
If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.
-
RE: Implementing a Role-Based Access System for Authorization
Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.
Here's a response I get after logging in:
{ "token": "ey...", "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "email": "email@example.com", "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006", "insertInstant": 1592857899119, "lastLoginInstant": 1596819645662, "lastUpdateInstant": 0, "passwordChangeRequired": false, "passwordLastUpdateInstant": 1592857899145, "registrations": [ { "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355", "id": "73d2317b-d196-4315-aba2-3c205ed3ccae", "insertInstant": 1592857899151, "lastLoginInstant": 1592857899153, "lastUpdateInstant": 1596813810104, "roles": [ "Role1" ], "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4", "twoFactorDelivery": "None", "twoFactorEnabled": false, "usernameStatus": "ACTIVE", "verified": true } }
So
user.applicationId.roles
is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups -
RE: Trouble getting the user object post login
OK, we just released 1.18.8 and that is the version you want to use:
In
requirements.txt
:fusionauth-client==1.18.8
And then this is the call you want to make (with
client_id
beforeredirect_uri
) :resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)
-
RE: Can I run FusionAuth in Heroku?
There is no official support for Heroku at this time. Follow along on this issue (and vote it up if this is important to you) if you'd like to know when such support happens.
However, there is a community supported project with a "Deploy to Heroku" button. This is provided and tested by a community member.
Latest posts made by dan
-
RE: Assign a user role when a user logs in using Google
This is possible today using a Google Reconcile Lambda. Our Lambdas allow arbitrary JavaScript to be executed during a login event. You can write logic to check the user's domain and assign them the appropriate role associated with the FusionAuth Application they're authenticating through.
Below is a code example demonstrating how you could implement such logic:
function reconcile(user, registration, idToken) { function extractDomain(email) { // Split the email address by '@' symbol var parts = email.split('@'); // Return the second part which represents the domain name return parts[1]; } // function to extract the email domain from the user object and stores in domain variable var domain = extractDomain(user.email); // Conditional statement checks domain for fusionauth.io and adds 'counsellor' role, if any other domain exist adds 'user' role if (domain === 'example.com') { registration.roles.push('teacher'); } else { registration.roles.push('user'); } //This is optional, but is good to have for debugging purposes. The results will be returned in the event logs. console.info(registration.roles); }
-
Assign a user role when a user logs in using Google
Hey, I am just curious if it's possible for us to assign user role if we choose to do login using Google as identity provider (we directly call Google for sign in, then link the user to FusionAuth, as per this guide).
To elaborate more, let's say we want user to be assigned to the user role upon sign in. But if the user email is under the domain @example.com, we want to assign them as teacher role. Would it be possible?
-
RE: Simple session management service
The best solution here would be to use entity management.
You can create an entity type of
Session
or similar.Each time you have a user log in, you can create a
Session
and set the.data.session_identifier
field to the value of the device fingerprint + business specific indicator, and store the access token as the value.When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.
For expiration, you can use the access tokens
exp
claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the.data
field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)
-
Simple session management service
Hi folks,
We want to have a simple session management service for a client that has no local storage mechanisms (so we can't use something like cookies).
How it will work is that we'll:
- present a login form using the Login API
- the user will log in
- we'll generate an access token
- we need to store it somewhere <-- this is where we need help
- The key will be a value from the client (device fingerprinting plus another business specific indicator)
- the value will be the access token
Later, we need some way to get that access token, based on the key.
We want to store as much as we can in FusionAuth, but realize there may be a thin proxy in front of it to handle API keys for access to various FusionAuth APIs.
-
RE: Proxy Configuration Warning
@jawaid-karim Hmmm. Those all look good.
So you are still seeing an error in the admin screen when you log in?
-
RE: IIS Reverse Proxy not showing FusionAuth Page correctly
@jawaid-karim Are you setting all the headers mentioned here? https://fusionauth.io/docs/operate/deploy/proxy-setup
-
RE: Mysql on ubuntu
@truearrowsoftware Weird.
We won't fix that bug because we don't support mysql 5.7 any more (per https://fusionauth.io/docs/get-started/download-and-install/system-requirements#database ).
When you try to connect to mysql8, do you see any log messages in the startup screen or under /usr/local/fusionauth that seem relevant to share?
-
RE: Password that never expires?
If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.
-
RE: User Account Not Linked to IDP
Have you turned on the debug logs and looked in the event log? That's what I'd start doing to troubleshoot.
More here: https://fusionauth.io/docs/operate/troubleshooting/troubleshooting#enabling-debugging