RE: Authentication for an Application with Web Client and Mobile front-ends

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Hi @michael-schramm,

If you could provide a bit more context to your issue, we could perhaps give a few pointers, but unfortunately, I believe this is outside of our accepted/documented use guidelines. FusionAuth is supported using MySQL and Postgres (documentation here).

Thanks,
Josh

Hey FusionAuth Community!

Just a heads up -- we have made a few revisions to this post!

If you are interested in using VueJS and FusionAuth -- check it out!

https://fusionauth.io/blog/2020/08/06/securely-implement-oauth-vuejs

Hi bogorad,

The functionality that you are looking for is located in the themes section of the FusionAuth application. Specifically, you will want to review all OAuth pages (OAuth authorize and possibly others) to adjust the template to your user requirements. FusionAuth uses FreeMarker for templating.

Additionally, below is a link to our documentation regarding themes (as well as a very useful video on how to mimic a custom Stack Overflow login page, for instance)
https://fusionauth.io/docs/v1/tech/themes/

Hopefully, that sets you on the right path! Enjoy FusionAuth!

Thanks,
Josh

1.30 is released

Release notes forming
https://fusionauth.io/docs/v1/tech/release-notes/

My Database (sql, rds, postgres) is filling up. Any pointers on how to address this?

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

Is there an option to make JWT token smaller in a size?

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

@tomas-huber

Can you elaborate on what needs to be corrected or what errors you were seeing in our documentation? If you could link the page of documentation from www.fusionauth.io you were following and what errors you encountered, that would be great.

If it's simpler, you can also include that information on an issue card for our documentation site
https://github.com/FusionAuth/fusionauth-site

Thanks!

Thanks,
Josh

@mg

Good question! Aspects of this question are covered in our FAQ.

https://fusionauth.io/license-faq/#19
https://fusionauth.io/license-faq/#11

Additional information can be found by contacting our sales team should you have a business need for continuity plans.
Please use the contact form found on the home page.

https://fusionauth.io/contact/

Thanks,
Josh

@aivanov To my understanding, this configuration is not directly exposed via API.

You can however listen in on the status and Prometheus endpoints of FusionAuth.

https://fusionauth.io/docs/v1/tech/installation-guide/monitor/

Thanks,
Josh
FusionAuth

Hi @saitulasiram94!

FusionAuth can act as both SP and IdP via SAML.

You may want to review how Gmail integrates via SAML. If Gmail (as Idp) supports an SP or IdP initiated login from FusionAuth, then you should be able to integrate.

I have included our relevant documentation below.

• https://fusionauth.io/docs/v1/tech/identity-providers/samlv2-idp-initiated/
• https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/

Thanks,
Josh

@harish_reddy

Is this still an open item of concern for you? I can review it further if need be.

If you believe it to be a bug you can also log a bug request
(https://github.com/FusionAuth/fusionauth-issues/issues/new/choose)

Thanks,
Josh

@david-billings,

As a final note, you may want to upgrade to version 1.30.2 (just released) as we made some slight improvements as to the timing of when this MFA information is available in the ES index.

Thanks,
Josh

To add a further note,

You can search these attributes in the following manner

twoFactor.methods.method:authenticator or twoFactor.methods.method:*

in the Admin UI under users or using the Search API.

Thanks,
Josh

@david-billings

The MFA attributes were added recently to the elasticsearch index on a user. This should be available using an ES query in version 1.30.1 and greater.

https://fusionauth.io/docs/v1/tech/release-notes/
https://github.com/FusionAuth/fusionauth-issues/issues/1352
https://fusionauth.io/docs/v1/tech/apis/users/#elasticsearch-search-engine

the user will have a variation of these attributes

  "twoFactor" : {
    "methods" : [ {
      "authenticator" : {
        "algorithm" : "HmacSHA1",
        "codeLength" : 6,
        "timeStep" : 30
      },
      "id" : "HWV2",
      "method" : "authenticator"
    } ]
  },

Thanks,
Josh

@yb98

I think what you are looking for is OAuth's back-channel logout. This is under consideration under ticket 465.

https://github.com/FusionAuth/fusionauth-issues/issues/465

As a workaround, you would have to use a backend (or another environment that can appropriately hide credentials) and make a call to revoke the refresh token on a user.

I may be misunderstanding your workflow, but I believe the above should point at a possible solution.

Thanks,
Josh

@james-hudson

One thing to try would be to turn on email debugging/logging to see if you are offered any additional clues.

Additional information can be found on our troubleshooting page

https://site-local.fusionauth.io/docs/v1/tech/troubleshooting/#troubleshooting-email

Thanks,
Josh