I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users
![](/community/forum/assets/uploads/profile/uid-20/20-profileavatar.jpeg)
dan
@dan
Head of Developer Relations at FusionAuth.
Enjoys ruby, java, php. Finds golang challenging.
Likes the authorization code grant, automation, stories and clear documentation.
Hiker, camper, gardener. Used to have chickens, now just tomatos.
Best posts made by dan
-
Is there a way to update user data in the UI?
-
Can I configure the inactivity timeout of the FusionAuth Session cookie?
I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?
-
Terraform provider for FusionAuth released
There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth
It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest
-
RE: Block authentication until user is verified?
Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?
Within a lambda, you have access to the user and registration properties. So you'd pull the
verified
property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.
Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.
- user registers
- JWT issued, with
verified
set tofalse
because the user isn't verified. - User verifies their email
- User visits API, but is denied because the JWT has stale data.
I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?
-
RE: My JWKS are always empty
Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:
returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format
If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.
-
RE: Implementing a Role-Based Access System for Authorization
Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.
Here's a response I get after logging in:
{ "token": "ey...", "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "email": "email@example.com", "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006", "insertInstant": 1592857899119, "lastLoginInstant": 1596819645662, "lastUpdateInstant": 0, "passwordChangeRequired": false, "passwordLastUpdateInstant": 1592857899145, "registrations": [ { "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355", "id": "73d2317b-d196-4315-aba2-3c205ed3ccae", "insertInstant": 1592857899151, "lastLoginInstant": 1592857899153, "lastUpdateInstant": 1596813810104, "roles": [ "Role1" ], "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4", "twoFactorDelivery": "None", "twoFactorEnabled": false, "usernameStatus": "ACTIVE", "verified": true } }
So
user.applicationId.roles
is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups -
RE: Trouble getting the user object post login
OK, we just released 1.18.8 and that is the version you want to use:
In
requirements.txt
:fusionauth-client==1.18.8
And then this is the call you want to make (with
client_id
beforeredirect_uri
) :resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)
-
RE: Specifying password during user registration.
Hiya,
First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:
My Frontend
-->My Backend
-->FusionAuth API
There's no password returned from the registration API call.
If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)
The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.
Are there specific security concerns you have around your front end/back end systems that I might be missing?
Latest posts made by dan
-
RE: Friction-free multi application SSO with MFA enabled
For future readers, here are two relevant GitHub issues on this topic.
Please feel free to upvote those issues and/or add comments about your use case. GitHub issue upvotes and comments are the main way for community members to provide roadmap feedback to the FusionAuth team.
-
RE: I want to load users from an LDIF file
FusionAuth has a bunch of import scripts, but one that you are probably most interested in is the CSV importer, which takes a CSV file and then calls the user import API.
Here's the link: https://github.com/FusionAuth/fusionauth-import-scripts/tree/main/csv
Of course, LDIF is not CSV.
Instead of using a CSV gem to get the list of users and their attributes, use a gem that can read LDIF. Here's a candidate. https://www.rubydoc.info/gems/ruby-ldap/0.9.19/LDAP%2FLDIF.parse_file but I'm not sure what the state of the art for ruby LDIF parsing is nowadays.
If you pursue this, please submit a PR to that repo because there may be other folks who want to import users from LDIF
An alternative would be to have them manipulate the LDIF file into CSV and import that using the csv importer. See https://www.google.com/search?client=firefox-b-1-d&q=ldif+to+csv for some examples on how to do the LDIF->CSV transformation.
-
I want to load users from an LDIF file
I have an LDAP server and can export out users to an LDIF file. I want to import these users into FusionAuth. What are my options?
-
RE: I am having issues upgrading my containerized version of FusionAuth
Ensure that the source machine that is building your image is the correct architecture type.
For instance, if you are building a K8's cluster running linux (x86) but have built the image locally on a Apple M2 Mac (ARM based), then you will need to instruct docker to use the
build x
command to build a multi-platform build or change the source build machine. -
RE: Seeing " OAuth return is missing a valid CSRF token" message
If this is isolated to one user it's happening to that's usually because the user is trying the flow across browsers or devices instead of completing the whole flow inside 1 browser.
For example, they might be requesting the Change Password on their phone but then open up their email on a desktop and click the link. Thus the desktop browser would be missing the CSRF token from the beginning of the flow.
This can also happen if they request it on Chrome, but click the link in the email in Firefox (or even Incognito/Private browser vs normal).
If it is more widespread (across many users) then it is probably something else, like a theme issue.
-
Seeing " OAuth return is missing a valid CSRF token" message
I have an issue. When someone resets their password, they get a link in their email. Then when they click it, they get an error message:
OAuth return is missing a valid CSRF token
and see a FusionAuth error screen.How can I solve that?
-
RE: Webhooks inside docker containers
@ronn316 We have some guidance about reaching out from FusionAuth to another machine on the network, but the right answer really depends on what the docker network configuration looks like.
-
RE: Locking down Discord access via FusionAuth
Hmmm.
Did some research and there's no way to straight forwardly have Discord delegate user management to an IdP.
This is in contrast that with other tools like Zendesk which let you do this pretty easily.
Of course, you can go the other way (have users log in with Discord) but that's not what you are asking.
There are some workarounds, but they require custom discord development. Here are some options:
- Create a discord application that adds users to a server based on the oauth2 flow with the
guilds.join
scope. set that application up in a way that people need to sign in with FusionAuth and link that signup to their discord account. Your discord app that handles said oauth2 flow. Then you add users through that app instead of invite links. - Use a public server but lock channels behind a role which gets added upon authorizing with FusionAuth by your bot.
- You could also use linked roles with a general access role people can opt into, if they fulfil the requirements set by that role (which you could control via registration at FusionAuth).
There's lots of documentation on creating discord bots but I don't have a specific example of any of these solutions, sorry.
- Create a discord application that adds users to a server based on the oauth2 flow with the
-
Locking down Discord access via FusionAuth
Do you have any example code where FusionAuth is the source of identity and Discord delegates user management to it?
We are migrating from another chat provider to Discord and want to enable access only for users who are registered in FusionAuth.
-
RE: I don't see the usernameClaim in my saml v2 identity provider
I've tested on 1.50.1 and I am able to see the
usernameClaim
in the response body.However, that field is something that is not set by default and will only show up if that field has a value in it, otherwise it will not be in the response body.