Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    1. Home
    2. robotdan
    • Profile
    • Following 0
    • Followers 3
    • Topics 5
    • Posts 127
    • Best 24
    • Groups 2

    robotdan

    @robotdan

    CTO of FusionAuth

    30
    Reputation
    31
    Profile views
    127
    Posts
    3
    Followers
    0
    Following
    Joined Last Online

    robotdan Unfollow Follow
    Staff administrators

    Best posts made by robotdan

    • RE: NullPointerException with POST /api/identity-provider/start

      @adrien-laugueux said in NullPointerException with POST /api/identity-provider/start:

      2020-11-02T09:12:47.670831893Z 2020-11-02 9:12:47.670 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
      2020-11-02T09:12:47.670862293Z java.lang.NullPointerException: null
      2020-11-02T09:12:47.670866593Z at io.fusionauth.api.service.authentication.SAMLv2IdentityProviderAuthenticationService.start(SAMLv2IdentityProviderAuthenticationService.java:176)
      2020-11-02T09:12:47.670870593Z at io.fusionauth.app.action.api.identityProvider.StartAction.post(StartAction.java:61)

      Thanks for reporting. This looks to be a bug, moving to GitHub.
      https://github.com/FusionAuth/fusionauth-issues/issues/963

      As a work around, pass in a dummy data object to the API, for example:

      {
        "applicationId": "1c212e59-0d0e-6b1a-ad48-f4f92793be32",
        "identityProviderId": "778985b7-6fd8-414d-acf2-94f18fb7c7e0",
         "data": {
            "workaround": true
         }
      }
      
      
      posted in Comments & Feedback
      robotdan
      robotdan
    • RE: startup.sh fails on tar of openjdk linux gz

      @james-black

      Thanks for letting us know, this is a bug. To work around it, add this to the top of startup.sh:

      CURL_OPTS="-fSL --progress-bar"
      
      posted in Q&A
      robotdan
      robotdan
    • RE: 404 Page theme

      Is it a total coincidence that that is GitHub Issue #404? Ha!

      posted in Q&A
      robotdan
      robotdan
    • RE: ZOOM and SSO Lambda writing

      @onmybus We'll need to do some more research into that error, @dan had some good insight in the reddit thread. Perhaps we are not building the response correctly.

      If you wan try @dan's suggest, I think the SAML Populate lambda would look like this: ( @dan was really close)

      function populate(samlResponse, user, registration) {
        samlResponse.assertion.subject.subjectConfirmation.recipient = null;
      }
      

      Here is how we are building that subject object:

      String callback = samlv2Configuration.callbackURL.toString();
      
      response.assertion.subject = new Subject();
      response.assertion.subject.subjectConfirmation = new SubjectConfirmation();
      response.assertion.subject.subjectConfirmation.inResponseTo = request.id;
      response.assertion.subject.subjectConfirmation.method = ConfirmationMethod.Bearer;
      response.assertion.subject.subjectConfirmation.notBefore = now.minusHours(1);
      response.assertion.subject.subjectConfirmation.notOnOrAfter = now.plusHours(1);
      response.assertion.subject.subjectConfirmation.recipient = callback;
      

      As a side note, the way you can debug this, is to dump out the samlResponse object to an event log. For example, add this to your lambda body and the samlResponse object will be pretty printed to an info event log. See System > Event Log.

      console.info(JSON.stringify(samlResponse, null, ' ')); 
      
      posted in Q&A
      robotdan
      robotdan
    • RE: SQL Server Support

      Another option is to use FusionAuth Cloud, then you do not need to be aware of the underlying data storage layer.

      posted in General Discussion
      robotdan
      robotdan
    • FusionAuth featured in GetApp's Highest Rated Identity Management Software

      Thank you to everyone using FusionAuth, thank you for your feedback, your support and for helping us succeed.

      https://www.getapp.com/security-software/identity-access-management/category-leaders/

      posted in Announcements
      robotdan
      robotdan
    • RE: Elasticsearch Utilization [Self Hosted - Community Edition]

      @mgetka

      The Elasticsearch index is not queried during an authentication request, it is only used for search operations. We do attempt to update the search index during an authentication request but it is not directly required to complete login.

      posted in Q&A
      robotdan
      robotdan
    • RE: Systemd service template

      @dan said in Systemd service template:

      https://fusionauth.io/direct-download/

      To Add to what @dan mentioned, you can install .deb or .rpm packages using the fast path install method. It will default to zip file installation.

      For additional ways to call it - see the Fast Path install guide.
      https://fusionauth.io/docs/v1/tech/installation-guide/fast-path/

      posted in General Discussion
      robotdan
      robotdan
    • RE: How to clean uninstall from Windows 10?

      The Windows install is just a zip package. So deleting is mostly just deleting the directory.

      Un-install the service

      If you installed a Windows service after unzipping the bundle during the installation, you should un-install that first. If you only used the startup.bat script you can skip this step.

      cd C:\Users\me\projects\fusionauth\fusionauth-app\apache-tomcat\bin
      FusionAuthApp.exe /uninstall
      

      https://fusionauth.io/docs/v1/tech/installation-guide/upgrade

      Note:
      Note, I see at the bottom of your code example that binary is not present in the directory. I'll have to look into why that is not present. In any case, if it is not present, that also means you have not installed the service, so you can skip this step.

      Delete the directory

      To complete the un-install, simply delete the directory once you have stopped the processes.

      rmdir C:\Users\me\projects\fusionauth /s
      

      If you have a database running locally, you will need to delete that separately. To do that you can open a SQL shell and run:

      drop database fusionauth;
      

      Hope that helps! Perhaps we need to add an un-install section to the documentation.

      posted in Q&A
      robotdan
      robotdan
    • RE: FusionAuth /oauth2/* requests performance

      Generally speaking the primary bottleneck for logins per second is CPU. Hashing the password is intentionally slow and FusionAuth will not be able to perform more logins per second than your CPU can handle.

      One way to identify if the password hashing is the bottleneck in load tests is to reduce the hash strength. See Tenants > Edit > Password > Cryptographic hash settings. Set this to Salted MD5 with a factor of 1 and then enable Re-hash on login. This will cause each user to have their password re-hashed next time they login to use MD5.

      If you can still only get 50 logins per second with this config, then the database is likely the bottleneck. If this config allows you to achieve a much higher logins per second, then the CPU is your bottleneck. If you are CPU bound, the only way to get more logins per second is to horizontally scale or throw larger CPUs at each node.

      posted in General Discussion
      robotdan
      robotdan

    Latest posts made by robotdan

    • RE: SAML Idp Initiated Failure

      @utahtwo Currently this requires two different configurations. We initially tried to do it all within one IdP, but each mode requires different configuration and has unique security constraints. It seemed simpler for all involved to make them separate IdP configurations.

      If there is a use case that breaks due to this design decision, please open a GitHub issue and outline the use case so we can better understand your needs. Thanks!

      posted in General Discussion
      robotdan
      robotdan
    • RE: (FusionAuth 1.33.0. Update) How to Update the Password Reset Functionality for Users that Have Two-Factor On?

      @stephen Thanks for the update.

      That is correct, if you do provide a trustChallenge on the Two Factor Start API, it must be used in along with the trustToken.

      This allows you the option to bind a trustToken to a particular request.

      Are you indicating that it now works as you expect, or that you did not provide a trustChallenge during the Two Factor Start API, and it is still saying it is required when completing the Change Password API? In your example you only show you are sending a loginId, so if that is the case let me know.

      posted in Q&A
      robotdan
      robotdan
    • RE: SAML Idp Initiated Failure

      @utahtwo I believe this is resolved in 1.36.0, if you can upgrade see if that solves it for you.

      https://fusionauth.io/docs/v1/tech/release-notes

      posted in General Discussion
      robotdan
      robotdan
    • RE: (FusionAuth 1.33.0. Update) How to Update the Password Reset Functionality for Users that Have Two-Factor On?

      @stephen

      When the Change Password API returns 400 indicating that trust is required, you'll need to obtain a trust token.

      {
        "generalErrors" : [ {
          "code" : "[TrustTokenRequired]",
          "message" : "This request requires a Trust Token. Use the Start Two-Factor API to obtain a Trust Token required to complete this request."
        } ]
      }
      

      To obtain a trust token, complete a Two Factor login.

      1. POST /api/two-factor/start
      2. POST /api/two-factor/login

      The completion of the Two Factor Login will return a trustToken value in the response body. This token can be used to complete the Change Password API.

      If you want to scope the trustToken returned by the Two Factor Login request for use by the Change Password API, you may provide a trustChallenge in the request body on the Start API. When you do this, the same value must be provided when you use the trustToken on the Change Password API. In this way you can ensure that the trustToken may only be used for the intended purpose.

      It looks like the APIs may not have this example outlined, we'll review the doc and see what needs to be updated.

      posted in Q&A
      robotdan
      robotdan
    • RE: Custom forgot password url without pkce parameters

      @joshua Can you try and recreate this one to ensure we don't have a bug?
      @hamza Have you configured client authentication as required in your application, or only required when not using PKCE?

      posted in Q&A
      robotdan
      robotdan
    • RE: SAML Idp Initiated Failure

      @dan

      This may also be related to our usage of PKCE. I think there is a fix for this exception in the latest version of FusionAuth

      [1/Apr/2022:17:39:00] 2022-04-01 5:39:00.406 PM ERROR io.fusionauth.app.action.BaseOAuthCallbackAction - Returned Exception
      [1/Apr/2022:17:39:00] java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null

      posted in General Discussion
      robotdan
      robotdan
    • RE: Cluster install

      @sandrinho said in Cluster install:

      pgbouncer

      I don't know that pgbouncer will work with FusionAuth. I don't know much about it, but from reviewing their FAQ it looks like the application or perhaps just the SQL client needs some additional configuration to utilize prepared statements (which we use a lot of).

      https://www.pgbouncer.org/faq.html

      If you can get it working, let us know, but it wouldn't be something we'll have much of any expertise with.

      posted in Q&A
      robotdan
      robotdan
    • RE: startup.sh fails on tar of openjdk linux gz

      Tracking here: https://github.com/FusionAuth/fusionauth-issues/issues/1519

      posted in Q&A
      robotdan
      robotdan
    • RE: startup.sh fails on tar of openjdk linux gz

      @james-black

      Thanks for letting us know, this is a bug. To work around it, add this to the top of startup.sh:

      CURL_OPTS="-fSL --progress-bar"
      
      posted in Q&A
      robotdan
      robotdan
    • RE: Cann't import_users in Django

      @engineering-0 said in Cann't import_users in Django:

      wZzgYlJnnTiJ/HaS1XSx+uCsmC3To5FMQ1yMGqX//8s=

      I don't know why .. if I Base64 encode your salt DxFgAtoVimgE to RHhGZ0F0b1ZpbWdF it works. Not sure why this would be the case, the value looks to be Base64 encoded already.

        @Test
        public void django_test() {
          PBKDF2HMACSHA256PasswordEncryptor encryptor = new PBKDF2HMACSHA256PasswordEncryptor();
          String hash = encryptor.encrypt("0p;/)P:?", "RHhGZ0F0b1ZpbWdF", 150_000);
          assertEquals(hash, "wZzgYlJnnTiJ/HaS1XSx+uCsmC3To5FMQ1yMGqX//8s=");
        }
      

      Can you try importing the salt pulled from Django after Base64 encoding the value, and see if that works?

      posted in Q&A
      robotdan
      robotdan