Is there a way to update user data in the UI?

I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users

I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?

Can you run FusionAuth in Kubernetes?

OK, we just released 1.18.8 and that is the version you want to use:

In requirements.txt:

fusionauth-client==1.18.8

And then this is the call you want to make (with client_id before redirect_uri) :

 resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)

Heya FusionAuth Users!

Got a minute to share your experience with the FusionAuth platform?

Please take this short Capterra survey.

You'll help improve the software and the first 100 eligible reviewers will get a $20 gift card.

https://blog.bettyblocks.com/5-ways-betty-blocks-protects-your-company-data

Hiya,

I'm unable to create a user registration using the .NET client libraries: https://fusionauth.io/docs/v1/tech/client-libraries/netcore

I have verified that the API key is basically a super user. I've verified that I'm sending the registration object. I've tried twiddling different properties (verified, insertInstant) and made sure that the application exists. I've added the a user registration to the application manually and it works. Creating a user and setting the userdata works just fine. It just seems like the registration isn't working.

I looked in https://github.com/FusionAuth/fusionauth-netcore-client/issues and https://github.com/FusionAuth/fusionauth-issues/issues but didn't see any relevant issues.

Here's my code so far (you can run it with fusionauth_api_key=<key> dotnet.exe run -- foo@foo5.com bluepass123 blue)

$ cat usermanager.csproj
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp3.1</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="FusionAuth.Client" Version="1.15.7" />
    <PackageReference Include="JSON.Net" Version="1.0.18" />
  </ItemGroup>

</Project>

$ cat Program.cs
using System;
using io.fusionauth;
using io.fusionauth.domain;
using io.fusionauth.domain.api;
using System.Collections.Generic;
using Newtonsoft.Json;

namespace usermanager
{
    class Program
    {
        private static readonly string apiKey = Environment.GetEnvironmentVariable("fusionauth_api_key");
        private static readonly string fusionauthURL = "http://localhost:9011";

        private static readonly string tenantId = "66636432-3932-3836-6630-656464383862";
        static void Main(string[] args)
        {
            if (args.Length != 3) {
                Console.WriteLine("Please provide email, password and favorite color.");
                Environment.Exit(1);
            }
            string email= args[0];
            string password = args[1];
            string favoriteColor = args[2];

            FusionAuthSyncClient client = new FusionAuthSyncClient(apiKey, fusionauthURL, tenantId);
            User userToCreate = new User();
            userToCreate.email = email;
            userToCreate.password = password;
            Dictionary<string, object> data = new Dictionary<string, object>();
            data.Add("favoriteColor", favoriteColor);
            userToCreate.data = data;
            UserRegistration registration = new UserRegistration();
            registration.applicationId = Guid.Parse("4243b56f-0b45-4882-aa23-ac75eea22d22");
            registration.verified = true;

            registration.insertInstant = DateTimeOffset.UtcNow;
            var registrations = new List<UserRegistration>();
            registrations.Add(registration);

            userToCreate.registrations = registrations;

            UserRequest userRequest = new UserRequest();
            userRequest.sendSetPasswordEmail = false;
            userRequest.user = userToCreate;
            string u = JsonConvert.SerializeObject(userRequest);
            Console.WriteLine(u);
            var response = client.CreateUser(null, userRequest);
            string json = JsonConvert.SerializeObject(response);
            Console.WriteLine(json);

            if (response.WasSuccessful())
            {
                var user = response.successResponse.user;
                Console.WriteLine("retrieved user with email: "+user.email);
            }
            else if (response.statusCode != 200)
            {
                var statusCode = response.statusCode;
                Console.WriteLine("failed with status "+statusCode);
            }
        }
    }
}

We just released an overhaul of the website: https://fusionauth.io/ which includes a new look for the API docs: https://fusionauth.io/docs/v1/tech/

https://fusionauth.io/blog/2020/06/25/using-oauth-and-pkce-to-add-authentication-to-your-gatsby-site

Well, since we're talking about behavior based on a fix that isn't written yet, things are a bit theoretical.

Here's one approach we'd consider. An expired key pair cannot be used to sign a JWT, so we would either have to generate a new key pair ahead of the expiration, or start failing login operations. The former is a better user experience, so a user will either have to regenerate the key, or we would do it based upon a configured policy.

Also, wanted to be clear that we are aware of this limitation, which is why we set the default expiration period to 10 years (so we have a bit of time to solve this in the best way possible).

Hope this helps. Let me know if you don't have the information you need.

Yes, if you enable TLS for the email configuration, mail.smtp.starttls.enable is set to true.

Here's more about the javamail config (which I expect you are already familiar with, just adding for completeness): https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html

The JWT TTL can be configured per application, so if you were using a different application for OIDC vs an API - then you could do it.

But if you don't want to use multiple applications, then it is not possible, at least currently.

I could see a use case for asking for a JWT with a TTL equal to or less than the configuration and that request being honored, that could be a feature request. But as of right now, the only option is different applications.

I’d like to have a longer expiration on access tokens issued from the API vs tokens issued from the OpenID Connect workflow.

Is there a way to override the JWT duration from the API or use different settings for the API?

Great, thanks! Please let us know how the additional troubleshooting goes. I'd look at the error messages and see if anything funny sticks out.

How can I configure FusionAuth do that automatically?

This is not possible through FusionAuth configuration. Feel free to file a feature request: https://github.com/fusionauth/fusionauth-issues/issues

You can update a user after they are created to specify an application authentication token. So you could register a webhook and listen for registration events and then update the user who just registered: https://fusionauth.io/docs/v1/tech/apis/registrations/#update-a-user-registration

And if it is not possible yet, is it possible to generate it in a programmatic way from the client-side (a Vue app just after user logged in) without exposing an API key?

Nope, you'll need some server side code or you'll need to expose an API key. You could limit the API key to only be able to update users, but you would need to make an API call to update the user and generate the auth token.

HTH.

Can you try connecting to office 365 to send mail using https://jetmore.org/john/code/swaks/ ?

I find that to be helpful to debug smtp issues.

One other thing to note.

For performance issues, since they can be so complex and system dependent, we recommend purchasing a paid edition so you can get direct access and support from the engineering team.

You can learn more about pricing and support options here.

You can put whatever you want in the theme pages, but it's a good idea to keep them lean so the user has a quick login experience. After all, most folks don't care about auth except when it doesn't work!

You can optionally pass info in the state parameter, that will come back to the caller. This can be encoded JSON, as long as it is url safe. You will want to make sure that you don't put too much stuff in there, as there are URL length limits for browsers (though I learned that chrome has a URL size limit of 2MB!). Here's an example of using the state parameter for application state.

Or if you have different applications and redirect URLs, then just gathering metrics on the URLs may give you insight into who is using login, and from where.

Sort of depends upon what type of analytics you need.

Are there any recommendations regarding how much customization is prudent in the Freemarker based templates? We're worried about large javascript libraries being integrated into them to do things like marketing analytics.

If you have any recommendations/limitations on that portion of the system, that can help us communicate a better path for such features outside of the themed pages.

@richb201 said in where to find the /api/status response?:

This will allow me to get the data that I need to customize the login page. But i am scared to keep clientID and clientSecret in a page accessible to the world. The page is a .php page, so you said I might be OK with it having the clientSecret in it.

Ah, you should pull that value from the environment (if you are deploying via heroku) or AWS secrets manager (if deploying to AWS) or some other secured manner. I'm not sure how you are hosting the app, but you can ask your hosting provider how they recommend storing app secrets.

'message' => 'Your request is missing the Registration information as JSON in the entity-body.',

If you want to register a user, you need to provide a registration key. That's what the error message is telling you.

I find it helpful to pull up the API documentation and look at the sample request and response JSON docs. That's what FusionAuth is expecting, and all the client libs do is wrap that up in a nice, language specific interface.

HTH.