RE: Authentication for an Application with Web Client and Mobile front-ends

@mehamm,

It sounds like you are on the right track. A few comments:

• The Web API should not persist the access token, but the web app definitely can (often in a session). The web app can then present the access token until it expires, in which case the web app can renew the access token with the refresh token.

• "Web API verifies token against FusionAuth (my app) endpoint" -> You can also verify the claims were signed by FusionAuth without calling the introspect endpoint by using a JWT library.

• "Web API pulls user claims from token for role(s) and tenant, if verified returns data back to web app." -> Makes sense. Make sure to check the "aud" and "iss" claims to ensure they are what you expect. You should do this even if you are using the introspect endpoint.
• The correct tenant can be found from the client_id, since all applications are associated with one and only one tenant.
  If you have any specific issues, please feel free to post them in the forum (a new topic might be best).

By the way, if you are running in FusionAuth in production at scale, we encourage you to get a support contract . Having one allows access to the engineering team via opening support tickets. https://fusionauth.io/pricing/. Obviously, this is not a requirement, but should your business needs require a higher support level, it is available

I hope this helps!

Hi @michael-schramm,

If you could provide a bit more context to your issue, we could perhaps give a few pointers, but unfortunately, I believe this is outside of our accepted/documented use guidelines. FusionAuth is supported using MySQL and Postgres (documentation here).

Thanks,
Josh

Hi bogorad,

The functionality that you are looking for is located in the themes section of the FusionAuth application. Specifically, you will want to review all OAuth pages (OAuth authorize and possibly others) to adjust the template to your user requirements. FusionAuth uses FreeMarker for templating.

Additionally, below is a link to our documentation regarding themes (as well as a very useful video on how to mimic a custom Stack Overflow login page, for instance)
https://fusionauth.io/docs/v1/tech/themes/

Hopefully, that sets you on the right path! Enjoy FusionAuth!

Thanks,
Josh

Hey FusionAuth Community!

Just a heads up -- we have made a few revisions to this post!

If you are interested in using VueJS and FusionAuth -- check it out!

https://fusionauth.io/blog/2020/08/06/securely-implement-oauth-vuejs

My Database (sql, rds, postgres) is filling up. Any pointers on how to address this?

There is an option to adjust the number of claims on the token through the jwt populate lambda.

Documentation here

Let me know if that gets at what you looking for!

Thanks,
Josh

There are a number of things that might be causing this.

One thing to check is to see how many logs, debug, and other records your installation is holding on to. This can be reviewed by clicking under Setting -> System

I have attached a screenshot for your review.

Finally, it might be useful to review your system architecture to ensure it is sized appropriately for the number of users you are hosting.

I hope this helps!

Thanks,
Josh

Is there an option to make JWT token smaller in a size?

Hi @mehamm!

All applications are associated with one and only one tenant.

You may find some answers to your questions around multi-tenancy here:

https://fusionauth.io/blog/2018/09/24/multi-tenancy-in-a-single-tenant-architecture

I will also excerpt from the article

A FusionAuth tenant is simply a namespace where Applications, Groups, and Users exist

Another article that might be of interest is below:
https://fusionauth.io/blog/2020/06/30/private-labeling-with-multi-tenant

These articles should help you understand the concept of tenants as it applies to FusionAuth.

I hope this helps!

Thanks,
Josh

Hi @yb98 -

I don't believe that this is currently possible within the Admin UI (but I will update this post if I discover otherwise). You could submit a feature request outlining your use case.

It may be possible to hook something up via the API and lots of custom code (but even then, I am not sure how this would work). You may find some insight here.

Please note, you can set these duration settings on both the tenant and the application level (example below).

Thanks,
Josh

@dtokarz1

Interesting fix. I will have to consider why your solution worked. In the end, glad that you were able to get it working!

Thanks,
Josh

Thanks @dtokarz1

I agree; this would be a nice feature to implement for edge cases.

Thanks,
Josh

Also https://fusionauth.io/community/forum/topic/1151/configuration-fails

Hi @dtokarz1!

Sorry to hear that you having issues!

Are you getting any other errors? If you have a copy of the error log, that might be helpful as well.

https://fusionauth.io/docs/v1/tech/troubleshooting/#logs

It looks like this thread might be related and offer some additional clues?
https://fusionauth.io/community/forum/topic/605/no-suitable-driver-found-for-jdbc-mysql-localhost-3306-login/7

Thanks,
Josh

@dtokarz1

If you are using the latest version of FusionAuth, then there is no way to administratively or programmatically mark the email as verified.

However, there is an open Github issue that proposes this enhancement.
https://github.com/FusionAuth/fusionauth-issues/issues/1319

Thanks,
Josh

@aaron

Too add to what Akira mentioned, please keep in mind that advanced registration forms are a paid feature (developer plan or higher) within FusionAuth. Within this feature set, you can use regex commands and add your own custom validation as shown below.

Additionally, under tenants > password there are a number of custom password rules that you can set as well.

In addition to the tenant, there are also some password rules that you can configure on the application level under applications > registration > self-service registration > enabled > type: basic . Here is where you will find a confirm password toggle as well.

Finally, the above applies to a POST event. Meaning the form has to be submitted before feedback is displayed to the user indicating that they failed validation.

There are some Github issues that we are tracking for more realtime validation like events as well. If you have a unique use case - feel free to log an issue as well.

https://github.com/FusionAuth/fusionauth-issues/issues/1223

Thanks
Josh

@sandrat,

Sorry to hear that you are having difficulties.

You guys do the download thing to trial, be a piece of cake but the install isnt nearly as smooth as you think.

Can you elaborate on any difficulties that you had attempting to install FusionAuth locally?

Simple a couple of SPs against your SAML IDP and I will know if we are in the play.

If you could elaborate on what you looking for I may be able to assist further.

Below is our existing documentation:

SAML as IdP:
https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/#overview

SAML as Service Provider:
https://fusionauth.io/docs/v1/tech/samlv2/

Current Limitations:
https://fusionauth.io/docs/v1/tech/reference/limitations/#saml

Thanks,
Josh

@justinfox,

There are a few ways in which you can architect this to ensure the user/entity is authenticated and authorized (reader here) depending on the language and architecture used. The tutorials and guides cover a few different approaches.

https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows/ offers a high-level overview as well.

Lastly, if you decide to use OAuth, you could consult our modern guide to OAuth for more information.

https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth/

Thanks,
Josh

@justinfox,

Awesome, glad that you got it working!

Thanks,
Josh

@daniel,

Glad you are trying us out! I will do my best to address your questions.

if the API is an Entity, and mobile app is an application, how roles will be designated to users for the APIs? How do we access them there? Is it done via same approach as in Auth0?

Are you saying that you are looking to have the same roles (they are called permissions the entity types) assigned to an entity and a user? I may need a little more context to better understand. Maybe you could outline how you are expecting this to work in practice.

Side note, we have documentation on this to be found here (you may have already reviewed it).

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/entity-management/
https://site-local.fusionauth.io/docs/v1/tech/apis/entity-management/#undefined

Also there is a question about using Roles by tenants - as we plan to create those roles, while Tenants will be assigning them to their users, is that actually possible?

Roles are scoped to an application per documentation. I might need some additional clarification/context to better address.

https://site-local.fusionauth.io/docs/v1/tech/core-concepts/roles/#overview

Let us know. Happy to help as able!

Thanks,
Josh