RE: Authentication for an Application with Web Client and Mobile front-ends

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Hi @michael-schramm,

If you could provide a bit more context to your issue, we could perhaps give a few pointers, but unfortunately, I believe this is outside of our accepted/documented use guidelines. FusionAuth is supported using MySQL and Postgres (documentation here).

Thanks,
Josh

Hey FusionAuth Community!

Just a heads up -- we have made a few revisions to this post!

If you are interested in using VueJS and FusionAuth -- check it out!

https://fusionauth.io/blog/2020/08/06/securely-implement-oauth-vuejs

Hi bogorad,

The functionality that you are looking for is located in the themes section of the FusionAuth application. Specifically, you will want to review all OAuth pages (OAuth authorize and possibly others) to adjust the template to your user requirements. FusionAuth uses FreeMarker for templating.

Additionally, below is a link to our documentation regarding themes (as well as a very useful video on how to mimic a custom Stack Overflow login page, for instance)
https://fusionauth.io/docs/v1/tech/themes/

Hopefully, that sets you on the right path! Enjoy FusionAuth!

Thanks,
Josh

1.30 is released

Release notes forming
https://fusionauth.io/docs/v1/tech/release-notes/

My Database (sql, rds, postgres) is filling up. Any pointers on how to address this?

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

Is there an option to make JWT token smaller in a size?

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

@lsmith

Thanks for the question. This is not currently a support configuration model.

If you need this for your use case, please feel free to log an issue for review

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

@emudojo Sorry for the delay

Were you able to figure this out?

Our documentation covers some nuances to the put/patch for this endpoint which you may be experiencing here.

• https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Thanks,
Josh

@lionel-selosse

Thanks for the question!

If you are accessing our token endpoint and asking for a token, and have an invalid signature - there could be a few causes. It may be related to how you are checking the signature. There are a few ways to do this if using a third-party library to validate a signature and there is room for error -- as I have experienced myself

I was able to take the client secret (from the OAuth configuration screen Applications > Your App > OAuth tab) and validate a recently generated access token using the following curl command

curl --request POST \
  --url https://local.fusionauth.io/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data client_id=<your_client_id> \
  --data client_secret=<your_secret> \
  --data code=<your_auth_code> \
  --data redirect_uri=http://www.google.com

JWT.io verified the signature as valid:

One thing to confirm is if you are on the latest version of FusionAuth.

Aside from that, please feel free to log an issue below with the details of your bug.

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

@nalenz-divizend

Thanks for the heads up - this is being reviewed under ->

https://github.com/FusionAuth/fusionauth-issues/issues/1894

Thanks!
Josh

@abehari

Marking this as "solved" as this was addressed out of band. Let us know if there are any other questions.

Thanks,
Josh

@ccaspanello

Thanks for the question - we have an example overview page with a few tutorials that cover what you are requesting

https://fusionauth.io/docs/v1/tech/example-apps/

Thanks,
Josh

@devops-1

Marking this as resolved as this was solved out of band from this forum.

https://fusionauth.io/docs/v1/tech/installation-guide/cloud#limits

related documentation about adding a whitelist entry.

@blake-whittle

FusionAuth deploys quickly for a multitude of devices and platforms.

• https://fusionauth.io/download

We have an installation guide below

• https://fusionauth.io/docs/v1/tech/installation-guide/

Finally, you can always reach out to our sales team for a good ole fashioned demo of how it can be deployed and used:

• sales@fusionauth.io

I hope this helps!

Thanks,
Josh
FusionAuth

@prawee

For this, I would recommend consulting our Users API or the User interface in the Admin UI.

• https://fusionauth.io/docs/v1/tech/apis/users#search-for-users
• https://fusionauth.io/docs/v1/tech/core-concepts/users#user-search

Let us know if you have any questions after a review!

@abehari Thanks for the question -

The user is not found when they are initially linked as they are tied to an external auth store (azure in this case), so we are relying on Azure to store the user's password/credentials (federation). Once you create a user with a password, and call the api/login we are going to look in our database and if the user is found (and with the correct credentials), we will return (as you experienced).

I am wondering if using the login API for OIDC provider is more appropriate for your use case

• https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect#complete-an-openid-connect-login

In this case, you are building your own login pages, in which you call Azure, and on that final step, called complete the login, you are asking FusionAuth to log the user in based on what Azure says.

Let us know if that better addresses your use case.

Thanks,
Josh