Recommended Approach for validation

Hi there,

Been searching for a recommended approach to API security. We have to applications configured in Fusion Auth, we then use a gateway with JWT validation enabled that ensure the requestor has provided correct credentials (using JWKS). The call to the API is then passed on to the service behind the gateway. We have 2 services, one for each application.

What is the recommended way in which to ensure the user making the call to the API is in fact allowed to access the API since the user will always pass the JWT validation, even if he did not register for the Application.

We are currently making use of the device grant, we had some issues, but have found a way to make it work for us but hope the future allows us to make use of the apis in a more seamless manner.

For now we are able to link many devices with a single user, but are unable to see how many devices have been linked. I understand that there is no unique hardware identifier for the device being sent to FusionAuth, and would like to know if there is a plan for this in the future, or is this a feature we should build out within our own code base on the back of a successful link?

We have decided to use this with the redirects enabled in java, which then returns the success HTML, we then use this HTML to validate its successful.

@dan we are not call /oauth/device would we need to? when in the flow would we need to do this? Dont see this in the documentation? https://fusionauth.io/docs/v1/tech/oauth/endpoints

@robotdan If something has come up please let me know.

@dan said in Authorize device without using /oauth2/device redirect:

https://github.com/FusionAuth/fusionauth-example-device-grant/pull/2

We have kept at it but still cant get the call to /oauth2/authorize to grant access to the device. When polling we get the response 400 with authorization_pending as per the documentation.

Nothing manages to change the state and have /auth2/token return the access_token.

We are very keen to use Fusion Auth for our production use case, but this one issue is causing headaches we didnt expect. All other requirements are being met with current fusion auth tooling.

We are not running Fusion auth on local but testing in a hosted environment to ensure everything works has expected.

We have the demo app for testing the device portion of the flow setup and it polls, it constantly gets HTTP 400 (authorization_pending). Which is expected until we call /oauth2/authorize, but after getting back the 302, we don't see this message change.

When we test the out the box solution from Fusion auth this flow does work however. It seems the out the box solution does 2 redirects and we unsure if any of those steps adds to the authorize process.

I should mention we on version 1.14.0

@dan said in Authorize device without using /oauth2/device redirect:

https://fusionauth.io/docs/v1/tech/oauth/#pass-user_code-to-fusionauth

Thanks for the reply. We are currently trying to authorise a device, but would like to use the endpoints provided by Fusion to accomplish this.

We first call /oauth2/device_authorize, this in turn returns a user_code to the device and a device_code.

We then use the user_code supplied by the user and call /oauth2/device/validate? if we get a HTTP 200 we continue.

Next we call /oauth2/authorize, here we supply the user_code, and a username and password for the user wanting to authorise the device. In return we get back a 302 which directs use to the redirect uri.

At this stage the device is polling /oauth2/token with the device_code and urn:ietf:params:oauth:grant-type:device_code grant type.

We would have hoped that at this stage the device would have gotten returned credentials but this does not seem to be the case. Unsure of what call would authorise the device?

Hi All...

We are currently looking to implement device authentication using Fusion Auth Oauth2 endpoints. We are able to send a GET request to /oauth2/authorize with all the required information and are able to get back a 302 redirect with the location populated with the expected fields ( code, locale, state and userState ). At this point we would expect the device to be authorised but when polling /oauth2/token we do not get a success.

We understand the redirect is to take the user to a success page in a happy day scenario, and don't understand why the device is not approved? Is there a missing step?

Regards