RE: NullPointerException with POST /api/identity-provider/start

@adrien-laugueux said in NullPointerException with POST /api/identity-provider/start:

2020-11-02T09:12:47.670831893Z 2020-11-02 9:12:47.670 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
2020-11-02T09:12:47.670862293Z java.lang.NullPointerException: null
2020-11-02T09:12:47.670866593Z at io.fusionauth.api.service.authentication.SAMLv2IdentityProviderAuthenticationService.start(SAMLv2IdentityProviderAuthenticationService.java:176)
2020-11-02T09:12:47.670870593Z at io.fusionauth.app.action.api.identityProvider.StartAction.post(StartAction.java:61)

Thanks for reporting. This looks to be a bug, moving to GitHub.
https://github.com/FusionAuth/fusionauth-issues/issues/963

As a work around, pass in a dummy data object to the API, for example:

{
  "applicationId": "1c212e59-0d0e-6b1a-ad48-f4f92793be32",
  "identityProviderId": "778985b7-6fd8-414d-acf2-94f18fb7c7e0",
   "data": {
      "workaround": true
   }
}

@james-black

Thanks for letting us know, this is a bug. To work around it, add this to the top of startup.sh:

CURL_OPTS="-fSL --progress-bar"

Is it a total coincidence that that is GitHub Issue #404? Ha!

@onmybus We'll need to do some more research into that error, @dan had some good insight in the reddit thread. Perhaps we are not building the response correctly.

If you wan try @dan's suggest, I think the SAML Populate lambda would look like this: ( @dan was really close)

function populate(samlResponse, user, registration) {
  samlResponse.assertion.subject.subjectConfirmation.recipient = null;
}

Here is how we are building that subject object:

String callback = samlv2Configuration.callbackURL.toString();

response.assertion.subject = new Subject();
response.assertion.subject.subjectConfirmation = new SubjectConfirmation();
response.assertion.subject.subjectConfirmation.inResponseTo = request.id;
response.assertion.subject.subjectConfirmation.method = ConfirmationMethod.Bearer;
response.assertion.subject.subjectConfirmation.notBefore = now.minusHours(1);
response.assertion.subject.subjectConfirmation.notOnOrAfter = now.plusHours(1);
response.assertion.subject.subjectConfirmation.recipient = callback;

As a side note, the way you can debug this, is to dump out the samlResponse object to an event log. For example, add this to your lambda body and the samlResponse object will be pretty printed to an info event log. See System > Event Log.

console.info(JSON.stringify(samlResponse, null, ' ')); 

Another option is to use FusionAuth Cloud, then you do not need to be aware of the underlying data storage layer.

Thank you to everyone using FusionAuth, thank you for your feedback, your support and for helping us succeed.

https://www.getapp.com/security-software/identity-access-management/category-leaders/

@mgetka

The Elasticsearch index is not queried during an authentication request, it is only used for search operations. We do attempt to update the search index during an authentication request but it is not directly required to complete login.

@dan said in Systemd service template:

https://fusionauth.io/direct-download/

To Add to what @dan mentioned, you can install .deb or .rpm packages using the fast path install method. It will default to zip file installation.

For additional ways to call it - see the Fast Path install guide.
https://fusionauth.io/docs/v1/tech/installation-guide/fast-path/

The Windows install is just a zip package. So deleting is mostly just deleting the directory.

Un-install the service

If you installed a Windows service after unzipping the bundle during the installation, you should un-install that first. If you only used the startup.bat script you can skip this step.

cd C:\Users\me\projects\fusionauth\fusionauth-app\apache-tomcat\bin
FusionAuthApp.exe /uninstall

https://fusionauth.io/docs/v1/tech/installation-guide/upgrade

Note:
Note, I see at the bottom of your code example that binary is not present in the directory. I'll have to look into why that is not present. In any case, if it is not present, that also means you have not installed the service, so you can skip this step.

Delete the directory

To complete the un-install, simply delete the directory once you have stopped the processes.

rmdir C:\Users\me\projects\fusionauth /s

If you have a database running locally, you will need to delete that separately. To do that you can open a SQL shell and run:

drop database fusionauth;

Hope that helps! Perhaps we need to add an un-install section to the documentation.

Generally speaking the primary bottleneck for logins per second is CPU. Hashing the password is intentionally slow and FusionAuth will not be able to perform more logins per second than your CPU can handle.

One way to identify if the password hashing is the bottleneck in load tests is to reduce the hash strength. See Tenants > Edit > Password > Cryptographic hash settings. Set this to Salted MD5 with a factor of 1 and then enable Re-hash on login. This will cause each user to have their password re-hashed next time they login to use MD5.

If you can still only get 50 logins per second with this config, then the database is likely the bottleneck. If this config allows you to achieve a much higher logins per second, then the CPU is your bottleneck. If you are CPU bound, the only way to get more logins per second is to horizontally scale or throw larger CPUs at each node.

@jmarin the fix you're looking for is was in FusionAuth version 1.11.0, if you upgrade to version 1.11.0 or later this issues should be resolved. https://fusionauth.io/docs/v1/tech/release-notes#version-1-11-0

Is this "the" A-aron!!!! Howdy sir!

When you set Security to TLS in the FusionAuth UI, we set mail.smtp.starttls.enable=true which tells the Java Mail API to use STARTTLS.

In most cases our SMTP configuration will be adequate, if you find additional configuration required that is available via the Java Mail API that @dan posted, these can be added in the Tenant advanced configuration (Tenant > Advanced > SMTP Settings) using the Additional properties field. This field takes key value pairs as defined by the Java Mail API.

Let us know if that still doesn't work, and we can go from there.

I just have to know!

The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.

I think you're asking to go directly to an IdP login page without hitting the FusionAuth login page first and clicking a button to "Login with Acme Corp" for example?

Does this issue cover your use case?
https://github.com/FusionAuth/fusionauth-issues/issues/178#issuecomment-501390468

The above issue would allow you to provide a hint ahead of time so we can bypass the login page for a domain scoped IdP configuration. We could also add the option to provide the Identity Provider Id as a hint on the request ?identityProviderId=42 to force a particular IdP.

In the future we will be supporting an OpenID Connections that do not return an email address.

In the short term, if you are on the most recent version of FusionAuth you can make this work by fabricating an email address in your OpenID Connect Reconcile Lambda.

For example if the Userinfo response available to you in the Lambda has a user Id of 1234 you can build an email from that Id.

Example:

function(user, registration, jwt) {
  // Where the user's unique Id is the 'sub' claim. 
   user.email = jwt.sub + '@no-email-strava.com';
}

This will only work if the JWT does not come back with a claim called email.

The work around described above only works for OpenID Connect based IdPs, it will not work for Facebook. If the Facebook user is not providing you their email, they will not be able to login.

Also, see database.maximum-pool-size here https://fusionauth.io/docs/v1/tech/reference/configuration

We could review this decision, perhaps it makes sense to leave this information in the API response.

In the event of a database breach, the attacker would have all of the necessary information, but in the API response we initially thought it better not to leak any information about how this user's password may be hashed and stored.

The results of the Userinfo endpoint will reflect what is in the JWT and what additional details FusionAuth knows about the user.

So with Twitter, Facebook, Google and Apple, this will all depend upon what is returned from those providers, and then subsequently what you do with that information during login.

Each of these IdPs can be assigned a Reconcile Lambda, a default lambda is provided with FusionAuth that you can use and modify.

https://fusionauth.io/docs/v1/tech/lambdas/apple-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/facebook-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/google-reconcile/
https://fusionauth.io/docs/v1/tech/lambdas/twitter-reconcile/

In your example, are you using an Apple Reconcile Lambda, and if so, can you post your lambda function?

Apple will only return the user's first and last name on the very first authentication event. Subsequent events will not contain this information, so if you were to log a user in using the Apple provider, and then subsequently assign a reconcile Lambda that would otherwise attempt to capture this information, you will not have that User's first and last name in FusionAuth.

Similarly with Twitter, we would need to see your reconcile Lambda function body that you have assigned to this IdP configuration to understand what is being obtained from Twitter and stored in FusionAuth.

Hope that helps!

Another option is to use an email template specific to the application so you can hard code the Application name. This works if you create the user and register them at the same time.