This might be useful for visitors in the future: https://fusionauth.io/docs/extend/examples/device-limiting
Posts made by dan
-
RE: Is it possible to limit the number of devices a user can login with?
-
RE: how to implement user invitation
Hiya @kasir-barati ,
You can certainly use just a subset of known invite codes. In that case, no need to store the codes on the user.
Instead, add an array of codes in the self-service registration lambda and have a step check to see that the user provided code value matches one of the known values in the array.
-
RE: how to implement user invitation
This isn't out of the box, but is relatively easy to implement.
- After each user is added successfully, create a list of codes in their
user.data.inviteCodes
field (which can be an array). It's a good idea to have the codes be alphanumeric because FusionAuth's elastic search indexing handles those types of values best. Let's call this user the inviter user. Make sure each code is unique across all users. - When a user tries to register with a code, let's call that user the invitee user.
- Build a page in your application to display the list of
user.data.inviteCodes
to prospective inviters. - Create a custom registration form and have one of the fields be an invite code, to be provided by the invitee user (because they got it from the inviter user).
- You could prepopulate this via a link by customizing the theme and having javascript pull the value from a query parameter and put it into the form.
- Create a self-service registration validation lambda.
- In that lambda, search for the code.
- If it is not found, add an error. This error will prevent the user from registering.
- If it is found, take the following steps:
- Allow the registration to succeed.
- Add a webhook to listen for the create user event, which reads the invitation code.
- From the webhook, update the inviter user to remove the used code from the
user.data.inviteCodes
, which means that code can't be used by future invitees. - That same webhook can update the invitee's
user.data.inviteCodes
field so that they can now become inviters (or maybe that happens later, depending on business logic).
If invitees use the same code within time period the elasticsearch index is updated (usually 1 second), there may be a race condition that would allow two invitees to register with the same code.
If absolute isolation in the invite code processing is important, use Lambda HTTP connect in the self-service registration validation lambda to check if a code is valid, and have that read from an RDBMS.
In this case, you'll need to provide the code and the inviter email address in the form so the lambda can provide it to the API. These fields can both be hidden.
You can also consider adding an expiry timestamp to the
user.data.inviteCodes
if that functionality is needed.Here's an example of the
user.data.inviteCodes
value:"inviteCodes" : [ { "invcode": "abc123", "exp": 1712679467 }, { "invcode": "234jklasdf", "exp": 183678467 } ]
And here's an example of a queryString that will pull the user with the
abc123
invite code, or return zero records if that is not found.data.inviteCodes.invcode:abc123
- After each user is added successfully, create a list of codes in their
-
how to implement user invitation
I have an application that I want to invite users to and want users to be able to invite users to. I do not want to allow users to register for this application without being invited.
I've seen: https://fusionauth.io/community/forum/topic/935/how-to-implement-user-invitation but was wondering what the current best practice is.
-
RE: Connector service docs say it needs only user.id, but fails it not given email too
Hmmm. Which docs were you looking at?
https://fusionauth.io/docs/lifecycle/migrate-users/connectors/ says:
If you are migrating a user, you must provide the following fields in the user object you return.
user.username or user.email user.id: a FusionAuth compatible UUID
and
If you are authenticating a user, you must provide the following fields in the user object you return.
user.username or user.email user.id: a FusionAuth compatible UUID
If there's another place in the docs that state that email/username is not required, would love to correct it.
-
RE: Assign a user role when a user logs in using Google
This is possible today using a Google Reconcile Lambda. Our Lambdas allow arbitrary JavaScript to be executed during a login event. You can write logic to check the user's domain and assign them the appropriate role associated with the FusionAuth Application they're authenticating through.
Below is a code example demonstrating how you could implement such logic:
function reconcile(user, registration, idToken) { function extractDomain(email) { // Split the email address by '@' symbol var parts = email.split('@'); // Return the second part which represents the domain name return parts[1]; } // function to extract the email domain from the user object and stores in domain variable var domain = extractDomain(user.email); // Conditional statement checks domain for fusionauth.io and adds 'counsellor' role, if any other domain exist adds 'user' role if (domain === 'example.com') { registration.roles.push('teacher'); } else { registration.roles.push('user'); } //This is optional, but is good to have for debugging purposes. The results will be returned in the event logs. console.info(registration.roles); }
-
Assign a user role when a user logs in using Google
Hey, I am just curious if it's possible for us to assign user role if we choose to do login using Google as identity provider (we directly call Google for sign in, then link the user to FusionAuth, as per this guide).
To elaborate more, let's say we want user to be assigned to the user role upon sign in. But if the user email is under the domain @example.com, we want to assign them as teacher role. Would it be possible?
-
RE: Simple session management service
The best solution here would be to use entity management.
You can create an entity type of
Session
or similar.Each time you have a user log in, you can create a
Session
and set the.data.session_identifier
field to the value of the device fingerprint + business specific indicator, and store the access token as the value.When you are trying to find whether a user has a valid session, you can use the Entity search APIs to find that key and get back the value. Or, if the value doesn't exist, the user has no valid session.
For expiration, you can use the access tokens
exp
claim (which means anything consuming it will have to check that, which it should anyway). You could also manage additional expiration metadata in the.data
field if you needed different logic (you have 5 hour access on weekdays, 10 hours of access on weekends or something similar).Note that you should be vary aware of the security implications of this scheme (for example, that the device fingerprinting is unique and that the access token is narrowly scoped enough that if it is somehow obtained by an attacker it can't be used to damage the system)
-
Simple session management service
Hi folks,
We want to have a simple session management service for a client that has no local storage mechanisms (so we can't use something like cookies).
How it will work is that we'll:
- present a login form using the Login API
- the user will log in
- we'll generate an access token
- we need to store it somewhere <-- this is where we need help
- The key will be a value from the client (device fingerprinting plus another business specific indicator)
- the value will be the access token
Later, we need some way to get that access token, based on the key.
We want to store as much as we can in FusionAuth, but realize there may be a thin proxy in front of it to handle API keys for access to various FusionAuth APIs.
-
RE: Proxy Configuration Warning
@jawaid-karim Hmmm. Those all look good.
So you are still seeing an error in the admin screen when you log in?
-
RE: IIS Reverse Proxy not showing FusionAuth Page correctly
@jawaid-karim Are you setting all the headers mentioned here? https://fusionauth.io/docs/operate/deploy/proxy-setup
-
RE: Mysql on ubuntu
@truearrowsoftware Weird.
We won't fix that bug because we don't support mysql 5.7 any more (per https://fusionauth.io/docs/get-started/download-and-install/system-requirements#database ).
When you try to connect to mysql8, do you see any log messages in the startup screen or under /usr/local/fusionauth that seem relevant to share?
-
RE: Password that never expires?
If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.
-
RE: User Account Not Linked to IDP
Have you turned on the debug logs and looked in the event log? That's what I'd start doing to troubleshoot.
More here: https://fusionauth.io/docs/operate/troubleshooting/troubleshooting#enabling-debugging
-
RE: Propagate rememberDevice property from Login page back to redirect or similar
You could set parameters in the login success webhook to receive info about whether the
rememberMe
box was checked. You'd use JavaScript to set a form field value that is included in the webhook body. Here's an example of how this would work: https://github.com/FusionAuth/fusionauth-issues/issues/1660 -
RE: User Account Not Linked to IDP
@thomas-wojeck When using the API to create an account and a link, the linking in FusionAuth only occurs within FusionAuth, not within the remote Azure AD.
The easiest way to have the Azure AD account set up correctly is to use an OIDC identity provider and have the user log in to Azure AD first, and then have an account created in FusionAuth.
If that won't work, then you need to make sure that the link data in FusionAuth matches the account data in Azure AD, including the
identityProviderUserId
and thetoken
(as documented here: https://fusionauth.io/docs/apis/identity-providers/links#request ). I think that will work, but you'd need to test it. -
RE: Single session per user
@mike-rudat This might be of interest too: https://fusionauth.io/docs/extend/examples/device-limiting
-
RE: Mysql on ubuntu
@truearrowsoftware Hmmm. Based on what you've said, this seems like a JDBC connection error, because:
- php apps can connect
- FusionAuth has trouble connecting (you mentioned that two times)
When I'm troubleshooting issues like this, I like to isolate things. Is there any way you can write a small java program to make sure it can connect to your mysql database using the connection string?
Another alternative would be to run the database SQL against mysql manually. You can find it here: https://fusionauth.io/direct-download Then FusionAuth won't have to create any tables or anything.