Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. dan
    • Profile
    • Following 0
    • Followers 8
    • Topics 601
    • Posts 2330
    • Best 164
    • Groups 3

    dan

    @dan

    Head of Developer Relations at FusionAuth.

    Enjoys ruby, java, php. Finds golang challenging.

    Likes the authorization code grant, automation, stories and clear documentation.

    Hiker, camper, gardener. Used to have chickens, now just tomatos.

    178
    Reputation
    163
    Profile views
    2330
    Posts
    8
    Followers
    0
    Following
    Joined Last Online
    Website fusionauth.io Location Colorado, USA

    dan Unfollow Follow
    Staff Power User administrators

    Best posts made by dan

    • Is there a way to update user data in the UI?

      I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

      posted in Q&A
      dan
      dan
    • FusionAuth releases SimplePass™

      https://fusionauth.io/blog/2021/04/01/fusionauth-introduces-simplepass/

      posted in Blogs
      dan
      dan
    • Can I configure the inactivity timeout of the FusionAuth Session cookie?

      I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?

      posted in Q&A
      dan
      dan
    • Terraform provider for FusionAuth released

      There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth

      It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest

      posted in Release
      dan
      dan
    • Can you run FusionAuth in kubernetes?

      Can you run FusionAuth in Kubernetes?

      posted in Q&A
      dan
      dan
    • RE: Block authentication until user is verified?

      Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?

      Within a lambda, you have access to the user and registration properties. So you'd pull the verified property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.

      So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.

      Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.

      1. user registers
      2. JWT issued, with verified set to false because the user isn't verified.
      3. User verifies their email
      4. User visits API, but is denied because the JWT has stale data.

      I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?

      posted in Q&A
      dan
      dan
    • RE: My JWKS are always empty

      Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:

      returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format

      If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.

      posted in Q&A
      dan
      dan
    • RE: Implementing a Role-Based Access System for Authorization

      Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.

      Here's a response I get after logging in:

      {
        "token": "ey...",
        "user": {
          "active": true,
          "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
          "email": "email@example.com",
          "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006",
          "insertInstant": 1592857899119,
          "lastLoginInstant": 1596819645662,
          "lastUpdateInstant": 0,
          "passwordChangeRequired": false,
          "passwordLastUpdateInstant": 1592857899145,
          "registrations": [
            {
              "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355",
              "id": "73d2317b-d196-4315-aba2-3c205ed3ccae",
              "insertInstant": 1592857899151,
              "lastLoginInstant": 1592857899153,
              "lastUpdateInstant": 1596813810104,
              "roles": [
                "Role1"
              ],
              "usernameStatus": "ACTIVE",
              "verified": true
            }
          ],
          "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4",
          "twoFactorDelivery": "None",
          "twoFactorEnabled": false,
          "usernameStatus": "ACTIVE",
          "verified": true
        }
      }
      

      So user.applicationId.roles is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups

      posted in Q&A
      dan
      dan
    • RE: Trouble getting the user object post login

      OK, we just released 1.18.8 and that is the version you want to use:

      In requirements.txt:

      fusionauth-client==1.18.8
      

      And then this is the call you want to make (with client_id before redirect_uri) :

       resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)
      
      posted in Q&A
      dan
      dan
    • RE: Can I run FusionAuth in Heroku?

      There is no official support for Heroku at this time. Follow along on this issue (and vote it up if this is important to you) if you'd like to know when such support happens.

      However, there is a community supported project with a "Deploy to Heroku" button. This is provided and tested by a community member.

      posted in Q&A
      dan
      dan

    Latest posts made by dan

    • RE: Enforcing two factor configuration

      @mangeshp16 The original question is over two years old. Since version 1.42, you can enforce MFA at the tenant level (or the application level if you have the enterprise plan). This means that any user who logs in is required to have MFA. If they do not, they are redirected to a page where they can set it up.

      There are other ways to accomplish this. You could build your own MFA page which would call the APIs directly. When a user logs in, you can check to see if they have any twoFactor methods available and if they don't, you can send them to this page.

      posted in Q&A
      dan
      dan
    • RE: How to do migrations on user data?

      @yves

      I guess I'm struggling to understand how FusionAuth internally saves the user data. Is this unstructured (e.g. JSON) inside the relational database?

      You can examine the database schema FusionAuth uses here: https://fusionauth.io/docs/v1/tech/installation-guide/fusionauth-app#advanced-installation

      I guess I can't give this more structure, e.g. defining data types, and so on?

      The structure for the .data fields is implicit. This means that you can define the schema by creating a value. So if I set user.data.isPremium to true, then ES will understand that user.data.isPremium is of type boolean.

      A couple of notes:

      • if you change the datatype across users, ES will get confused. Here's docs on how to deal with that: https://fusionauth.io/docs/v1/tech/admin-guide/troubleshooting#mapperparsingexception
      • there's an open issue for allowing schema enforcement. Please upvote it or add other feedback
      • using the PATCH method for arrays in the user.data field is a bit fragile. Here's docs on how to choose this method correctly: https://fusionauth.io/docs/v1/tech/apis/#the-patch-http-method

      I guess there's also no "direct" access to the user data via an API? At least I didn't find anything.

      You can update, patch or remove values from the user.data field using the normal user APIs. Or did I misunderstand your question?

      posted in Comments & Feedback
      dan
      dan
    • RE: How to do migrations on user data?

      @yves This is similar to any ElasticSearch schema changes. (That is, adding attributes is easy, changing data types and removing attributes is tougher.)

      There's no particular guidance available.

      For testing, you can set the index name using fusionauth-app.user-search-index.name. More here: https://fusionauth.io/docs/v1/tech/reference/configuration

      Hope that helps. If you have more specific questions, feel free to ask.

      posted in Comments & Feedback
      dan
      dan
    • RE: ElasticSearch reindex doesn't reindex all documents

      Hmmm. I looked at the code path and can't see any reason that registrations would be omitted when reindexing, which would be one reason the search might fail.

      • What version of FusionAuth are you running?
      • What version of ES are you running?
      • After reindex, if you search for a user with a registration (by something other than that nested search), is the registration data present?
      • Any other searches fail?
      • Any other troubleshooting steps you can share?
      • Reindexing typically doesn't need to be done very often. Roughly how often are you reindexing (and why)?

      Thanks!

      posted in Comments & Feedback
      dan
      dan
    • RE: Meme thread

      x3hdnzqabu0b1.png

      posted in General Discussion
      dan
      dan
    • RE: Resolving javax.net.ssl.SSLHandshakeException in a local environment with the Java Client and Ktor...

      @mart

      Hmmm. Haven't seen this before.

      https://www.jvt.me/posts/2020/08/16/globally-disable-tls-java-httpsurlconnection/ looks interesting.

      The java client uses https://github.com/inversoft/restify/ under the covers, so maybe there's some setting in that library? The docs are sparse (some might say not there at all) but the code is reviewable.

      Let us know what you find.

      posted in Q&A
      dan
      dan
    • RE: How to enable Lambda feature?

      @mschmidt Ah, sorry for the confusion. Glad you solved the issue!

      posted in Q&A
      dan
      dan
    • RE: Java Client JWT Validate returns incorrect exp/iat time

      @ndiarmand Thanks, just saw this now. Filed a bug: https://github.com/FusionAuth/fusionauth-issues/issues/2275

      posted in Q&A
      dan
      dan
    • RE: localhost development cookie issue

      @jacksontrevan Yes, this is unfortunately a limitation of cookies.

      You could work around that by setting up a DNS alias to local.example.com (assuming FusionAuth is running remotely at auth.example.com).

      You can usually set that up by googling for local host in /etc/hosts <platform> which turns up:

      • https://www.hostinger.com/tutorials/how-to-edit-hosts-file-macos
      • https://www.manageengine.com/network-monitoring/how-to/how-to-add-static-entry.html
      posted in Q&A
      dan
      dan
    • RE: Force Google Account Selection on every login using SAMLv2 IdP

      @nico-ayala Makes sense. We have some documentation here: https://fusionauth.io/docs/v1/tech/identity-providers/google#custom-parameters

      Though that is for setting up an OIDC provider in FusionAuth, it might be somewhat helpful.

      posted in Q&A
      dan
      dan