Posts made by dan
-
RE: Client secret hashed in source identity provider
No perfect options, but a few workarounds possible
- a connector-like proxy which would intercept Client Credentials requests from their customers and use business logic to validate the client secret against the stored Duende hash.
- stand up a simple proxy in front of the Duende that logs the plaintext client secrets for a period of time before migration (protect these logs of course)
- go to each client and ask them to use a new FusionAuth specific client secret (analogous to resetting user passwords)
More details on the first option. It requires these steps/prereqs:
FusionAuth Entities Setup
- The customer should create new FusionAuth Entities that correlate to the Client ID of all APIs and services currently associated with Duende. For now, let FusionAuth generate a random Client Secret.
- Custom Attribute for Migration: Store a custom attribute such as
migration: false
onentity.data
for all newly created Entities.
Migration Steps
- API/Service Requests Token: The API or service calls Duende's token endpoint.
- Proxy Interception: The customer's proxy intercepts the client credentials request and searches FusionAuth Entities to find the matching Entity by Client ID.
- Migration Check: Use an if/else logic to check if
migration: false
exists for this client ID. If so, the proxy service proceeds with the client credentials request to Duende using the Client ID and Secret (in plain text). - JWT Validation: If Duende responds with a JWT, this confirms the Client Secret is correct. The proxy service discards Duende's JWT and then calls the Entity API to update the correct Client Secret and set
migration: true
on theentity.data
object. - Complete Migration: The proxy service calls FusionAuth's token endpoint to complete the Client Credentials grant. The proxy service then returns a JWT to the end customer’s API/service, migration is complete.
Which of these make sense depend on how many clients you have, your dev teams bandwidth, and your security posture.
-
Client secret hashed in source identity provider
We're migrating from an identity provider (Duende) that hashes the client secret when the client credentials grant is used.
How can we migrate these secrets to FusionAuth entities?
-
RE: Does FusionAuth work with resend, the email provider?
While I have not tested it, this documentation shows how to use an SMTP integration to send an email with resend.
This should work fine with FusionAuth's email settings.
-
Does FusionAuth work with resend, the email provider?
Does FusionAuth work with resend, the email provider?
-
RE: Compatibility of refresh token settings: sliding window and one-time use
It's a subtle difference, but one-time use refers to the value of the refresh token, which you use against the /oauth2/token endpoint to get a new access token via the refresh grant.
A sliding window refers to the refresh token itself, which has a unique id which stays the same, even as the value of the refresh token changes.
So if you had a refresh token with a lifetime of 4 hours, a sliding window and one time use configured, you might end up with something like this:
- at creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valueRNhY5yE39t1o2FXKxgyH
, lifetime 4 hours - when the RT is presented to the /oauth2/token endpoint 3 hours after creation: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valueFh95KZLfSMjMNxpR5B4c
, lifetime 4 more hours - when the RT is presented to the /oauth2/token endpoint 3 hours later: id
09cfb961-291a-420f-b5cf-48c5c87a67cc
, valuebaHneP4s0hBHPEk88GPC
, lifetime 4 more hours
More details here: https://github.com/FusionAuth/fusionauth-issues/issues/2925
- at creation: id
-
Compatibility of refresh token settings: sliding window and one-time use
If you have one-time use refresh token, then every time it is used, you get a new refresh token.
If you have a refresh token with a sliding window, every time you use it, its lifetime is extended.
How are these settings compatible?
-
RE: OAuth introspect endpoint works only with the credentials of the creator of the access token being verified
Also, why doesn't FusionAuth expose the default signing key, HS256, at http://localhost:9011/.well-known/jwks.json?
@fusionauth-qhj5e We don't publish the HMAC key to JWKS.json because if we did, anyone would be able to find it, and sign JWTs as your FusionAuth installation. HMAC keys should only be used when both parties can share a secret.
I'll update the docs to make that clearer. Sorry!
https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/endpoints#json-web-key-set-jwks
-
RE: Changes not being applied
@sspinn Hiya, I'm in the admin console pretty regularly and haven't seen this behavior.
Can you narrow down the replication steps so we can try to recreate?
Which version of FusionAuth you are running and what database you are using will also be helpful.
-
RE: Can you move users from one tenant to another?
Another option that works as of today is to set up a tenant to tenant connector.
Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.
Change your app to send everyone to a new application in the new tenant.
When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.
This slow migration takes time, but is another option.
-
RE: Using react app auth and react native and getting access to the profile pages
Hi @jamesbaxter . Sorry, just saw this now. I don't have the example app available. Sorry!
-
RE: Editing user data in the UI
When I navigate to the Reactor page, it shows that it's licensed with a Community Edition license.
Custom form fields require a starter license, and because you modified the form field names, FusionAuth thinks you are trying to use a custom form field. (Note, I'm not suggesting you buy a license--this functionality should work in community edition--but I wanted to explain why you are getting the message.)
With the move to 1.53.2 did you upgrade or use a new instance? If the former, does the issue still appear in a new install?
-
RE: ActiveDirectory access to FusionAuth
FusionAuth Cloud instances may or may not have static egress IP addresses; please open a support ticket with your instance name to learn more.
VPC peering is not currently supported, though that issue is the right one to follow for future developments.
You can also use an LDAP proxy to solve this issue.
FusionAuth -> LDAP proxy -> AD
where the LDAP proxy is in the DMZ and AD is configured to only talk to internal network values or the LDAP proxy.
Here's a StackOverflow post with more details.
-
ActiveDirectory access to FusionAuth
I want to lock down access between ActiveDirectory and FusionAuth running in the cloud. What is the best way to do that? Can I use VPC peering? It appears to not be supported: https://github.com/FusionAuth/fusionauth-issues/issues/1147
-
RE: Is there a way to see how advanced themes have changed between releases?
The best way to see this is to visit the theme history github repo.
It is mentioned in the theme upgrade documentation.
-
Is there a way to see how advanced themes have changed between releases?
I'm using advanced themes and want to see what has changed between releases so I can make sure to incorporate the changes in my custom theme.
What is the best way to see the changes?
-
RE: How do I edit a tenant’s data properties via the dashboard?
Currently this is not editable in the Admin UI. This value can be set by calling the Tenant API, however.
Docs here: https://fusionauth.io/docs/apis/tenants#update-a-tenant
-
How do I edit a tenant’s data properties via the dashboard?
Is there a way in the admin UI to edit a tenant's data properties?
-
RE: How can I remove all CSS from the FusionAuth hosted login pages?
I was able to do this by:
- copying the advanced theme
- editing it
- navigating to the Helpers file
- inside that, going to the
head
freemarker macro
I removed these lines:
<link rel="stylesheet" href="/css/font-awesome-4.7.0.min.css"/> <link rel="stylesheet" href="/css/fusionauth-style.css?version=${version}"/> [#-- Theme Stylesheet, only Authorize defines this boolean. Using the ?no_esc on the stylesheet to allow selectors that contain a > symbols. Once insde of a style tag we are safe and the stylesheet is validated not to contain an end style tag --] [#if !(bypassTheme!false)] <style> ${theme.stylesheet()?no_esc} </style> [/#if]
If you want to use the CSS field in the theme to store your CSs, leave in
[#if !(bypassTheme!false)] <style> ${theme.stylesheet()?no_esc} </style> [/#if]
which pulls in the CSS associated with the theme. Doing so allows you to add all your custom CSS to the CSS field in the theme and have it automatically included. If you don't do this, make sure you add your CSS to this macro (either directly or via a
link
). You'll want to make sure you keep it in as you upgrade.Removing all the CSS will result in a page that looks like the one below.