FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Release Notes
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Entity Management
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Key Master
    • SCIM
    • Search
    • Authentication and Authorization
    • Integration Points
    • Localization and Internationalization
    • Editions and Features
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Licensing
    • Monitoring
    • Proxy Setup
    • Securing
    • Technical Support
    • Troubleshooting
    • Upgrading
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Tutorial
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Kafka
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM EnterpriseUser
      • SCIM Group
      • SCIM Service Provider Config.
      • SCIM User
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • OpenAPI
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Examples
    • Helpers
    • Localization
    • Template Variables
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
    • Email Variables
    • Message Templates
  • Events & Webhooks
    • Overview
    • Writing a Webhook
    • Securing Webhooks
    • Events
      • Overview
      • Audit Log Create
      • Event Log Create
      • JWT Public Key Update
      • JWT Refresh
      • JWT Refresh Token Revoke
      • Kickstart Success
      • User Action
      • User Bulk Create
      • User Create
      • User Create Complete
      • User Deactivate
      • User Delete
      • User Delete Complete
      • User Email Update
      • User Email Verified
      • User IdP Link
      • User IdP Unlink
      • User Login Failed
      • User Login Id Duplicate Create
      • User Login Id Duplicate Update
      • User Login New Device
      • User Login Success
      • User Login Suspicious
      • User Password Breach
      • User Password Reset Send
      • User Password Reset Start
      • User Password Reset Success
      • User Password Update
      • User Reactivate
      • User Registration Create
      • User Registration Create Complete
      • User Registration Delete
      • User Registration Delete Complete
      • User Registration Update
      • User Registration Update Complete
      • User Registration Verified
      • User Two Factor Method Add
      • User Two Factor Method Remove
      • User Update
      • User Update Complete
  • Example Apps
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • Client Cred. JWT Populate
    • Epic Games Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • LinkedIn Reconcile
    • Nintendo Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • SCIM Group Req. Converter
    • SCIM Group Resp. Converter
    • SCIM User Req. Converter
    • SCIM User Resp. Converter
    • Sony PSN Reconcile
    • Steam Reconcile
    • Twitch Reconcile
    • Twitter Reconcile
    • Xbox Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Epic Games
    • External JWT
      • Overview
      • Example
    • Facebook
    • Google
    • HYPR
    • LinkedIn
    • Nintendo
    • OpenID Connect
      • Overview
      • Azure AD
      • Discord
      • Github
    • Sony PlayStation Network
    • Steam
    • Twitch
    • Twitter
    • SAML v2
      • Overview
      • ADFS
    • SAML v2 IdP Initiated
      • Overview
      • Okta
    • Xbox
  • Messengers
    • Overview
    • Generic Messenger
    • Kafka Messenger
    • Twilio Messenger
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Self Service Account Mgmt
    • Overview
    • Updating User Data & Password
    • Add Two-Factor Authenticator
    • Add Two-Factor Email
    • Add Two-Factor SMS
    • Customizing
    • Troubleshooting
  • Advanced Threat Detection
    • Overview
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Plugins
    • Writing a Plugin
    • Custom Password Hashing
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Multi-Factor Authentication
    • Multi-Tenant
    • Passwordless
    • Securing Your APIs
    • Silent Mode
    • Single Sign-on
  • Tutorials
    • Overview
    • User Control & Gating
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
    • Setup Wizard & First Login
    • Register/Login a User
    • Start and Stop FusionAuth
    • Authentication Tokens
    • Key Rotation
    • JSON Web Tokens
    • Prometheus Setup
    • Switch Search Engines
    • Two Factor (pre 1.26)
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Hashes

    Generic Connector

    Overview

    • Configuration

    • Using the Generic Connector

      • Request

      • Response

      • Using the Generic Connector as the System of Record

    • Security

    • Performance Considerations

    Generic Connectors allow you to authenticate users against or migrate them from any user datasource accessible over HTTP or TLS.

    Configuration

    The Generic Connector creation page.

    Form Fields

    Id Optional

    An optional UUID. When this value is omitted a unique Id will be generated automatically.

    Name Required

    A unique name to identify the Connector. This name is for display purposes only and it can be modified later if desired.

    Authentication URL Required

    The fully qualified URL of the API endpoint. The connector will send an HTTP POST request to this URL to authenticate the user. The format and status code returned will be identical to the Login API.

    Connect timeout Required default is 1000

    The connect timeout in milliseconds, used when making the POST request.

    Read timeout Required default is 2000

    The read timeout in milliseconds, used when making the POST request.

    Debug enabled Optional default is false

    Enable debug to create an event log to assist you in debugging integration errors.

    Security

    The security settings may be used to require authentication in order to make the POST request to the authentication endpoint.

    The Generic Connector security section.

    Form Fields

    Basic auth username Optional

    The username to be used for HTTP Basic Authentication.

    Basic auth password Optional

    The password to be used for HTTP Basic Authentication.

    Certificate Optional

    The SSL certificate to be used when connecting to the POST endpoint.

    If you need to add a certificate for use with this connector, navigate to Settings → Key Master and import a certificate. The certificate will then be shown as an option in this form control.

    Headers

    You can configure arbitrary headers to be added to the HTTP POST request when making a request to the configured authentication endpoint.

    The Generic Connector headers section.

    Form Fields

    Name

    The name of the header to add to the HTTP request when authenticating.

    Value

    The header value to add to the HTTP request when authenticating.

    Using the Generic Connector

    To use a Generic Connector:

    • Build a Generic Connector API endpoint in your application to expose your user data.

    • Configure the Connector in Settings → Connectors, including securing the endpoint.

    • Add the Connector Policy in Tenants → Your Tenant → Connectors to configure to which domains the connector applies.

    Request

    The request to your API endpoint will be delivered as JSON:

    Example Request JSON
    {
      "loginId": "example@fusionauth.io",
      "password": "password",
      "applicationId": "10000000-0000-0002-0000-000000000001",
      "noJWT" : false,
      "ipAddress": "192.168.1.42"
    }

    Your application will then look up the user and verify the correct credentials were provided. Then you can return the response.

    Response

    Your API should return a valid FusionAuth user object with status code 200 if the user is found and authenticated. Note that while you may return any of the attributes of the user object, including nested objects such as application registrations with roles, only the required ones must be returned.

    If the user cannot be authenticated, you should return the appropriate status code and response data as documented by the Login API. For instance, a 404 if the user authentication fails or the user is not found.

    Example Successful Response JSON
    {
      "user": {
        "active": true,
        "birthDate": "1976-05-30",
        "data": {
          "displayName": "Johnny Boy",
          "migrated" : true,
          "favoriteColors": [
            "Red",
            "Blue"
          ]
        },
        "email": "example@fusionauth.io",
        "expiry": 1571786483322,
        "firstName": "John",
        "fullName": "John Doe",
        "id": "00000000-0000-0001-0000-000000000000",
        "imageUrl": "http://65.media.tumblr.com/tumblr_l7dbl0MHbU1qz50x3o1_500.png",
        "lastLoginInstant": 1471786483322,
        "lastName": "Doe",
        "middleName": "William",
        "mobilePhone": "303-555-1234",
        "passwordChangeRequired": false,
        "passwordLastUpdateInstant": 1471786483322,
        "preferredLanguages": [
          "en",
          "fr"
        ],
        "registrations": [
          {
            "applicationId": "10000000-0000-0002-0000-000000000001",
            "data": {
              "displayName": "Johnny",
              "favoriteSports": [
                "Football",
                "Basketball"
              ]
            },
            "id": "00000000-0000-0002-0000-000000000000",
            "insertInstant": 1446064706250,
            "lastLoginInstant": 1456064601291,
            "preferredLanguages": [
              "en",
              "fr"
            ],
            "roles": [
              "user",
              "community_helper"
            ],
            "username": "johnny123",
            "usernameStatus": "ACTIVE"
          }
        ],
        "timezone": "America/Denver",
        "twoFactorEnabled": false,
        "usernameStatus": "ACTIVE",
        "username": "johnny123",
        "verified": true
      }
    }

    Using the Generic Connector as the System of Record

    You can use this Connector as either a source of authentication or to migrate your users. In the former case, the backing database accessed via API remains the system of record (where the canonical user data exists). In the latter, the user is moved over once they have authenticated successfully one time, and FusionAuth becomes the system of record.

    As documented, there are a number of differences between these two choices. However, one difference is worth emphasizing.

    When you are not migrating the user and therefore using the backing database accessed via API as the system of record, the following user attributes will reset every time the user authenticates:

    • Group memberships

    • Application registrations

    If, for instance, you were to register such a user for an application using the FusionAuth API or the administrative user interface, the next time they authenticated, they would not be registered for that application.

    Since FusionAuth is not the system of record, the backing database accessed via API is the authoritative data source.

    The correct way to maintain these attributes is to store them in the backing database, query them when the API is called, and deliver them as part of the User JSON object.

    Security

    TLS v1.2

    The first step in securing your Generic Connector API endpoints is to ensure that they are using TLS v1.2 or higher. You should be using a web server that is configured with a certificate from a valid certificate authority and to only receive traffic from a secure connection. We also recommend that you disable all older secure protocols including SSL, TLS 1.0 and TLS 1.1.

    If you need a certificate, most cloud providers offer them or you can use LetsEncrypt to generate a certificate and ensure it is always up-to-date.

    Headers

    When you configure your Generic Connector API endpoint with FusionAuth, you should include a security header of some kind. There are two ways to define a security header:

    • Add a Basic Authentication username and password under the Security tab

    • Define an HTTP header under the Headers tab

    In either case, your Generic Connector API endpoint code should validate the security header to ensure the request is coming from FusionAuth. Here’s some example code that validates an Authorization header:

    Example Generic Connector API endpoint
    router.route('/fusionauth-user-api').post((req, res) => {
      const authorization = req.header('Authorization');
      if (authorization !== 'API-KEY') {
        res.status(401).send({
          'errors': [{
            'code': '[notAuthorized]'
          }]
        });
      } else {
        // process the request
      }
    });

    Certificates

    You may provide an x.509 certificate to use with your Generic Connector API endpoint. This must be an SSL certificate previously added to the Key Master. It is used to establish a TLS connection to the Generic Connector API endpoint endpoint. Use this option if FusionAuth cannot connect to your Generic Connector API endpoint without the certificate.

    Providing this certificate will build a custom SSL context for requests made for the Generic Connector API endpoint. Therefore, any other JDK keystores and certificate authority chains will be bypassed for this request.

    Firewalls

    In addition to using TLS and a security header, you might also want to put a firewall in front of your Generic Connector API endpoint. In most cases, this firewall will only allow traffic to your Generic Connector API endpoint that originated from your FusionAuth instance. Depending on how you are hosting your Generic Connector API endpoint, you might be able to lock down the URL for your Generic Connector API endpoint specifically. You might also leverage an API gateway or a proxy to ensure that only traffic coming from FusionAuth is routed to your Generic Connector API endpoint. The exact specifics of deploying and configuring a Firewall are outside the scope of this document, but you can consult the documentation for your proxy, API Gateway or hosting provider to determine how to manage it.

    As an example, you can configure an AWS Application Load Balancer so that traffic coming from the IP address of your FusionAuth servers with a URL of https://apis.mycompany.com/fusionauth-user-api is routed through. You can then configure the Application Load Balancer so that all other traffic to that URL is rejected.

    Performance Considerations

    Enabled Connectors are in the critical path of the login experience and therefore should have low latency. Here are some things to do to improve performance of your Generic Connector.

    Network Connection

    There are three phases of the Connector network connection, from FusionAuth connector to the API endpoint:

    • Initial connection to the API endpoint

    • First byte read from the connection

    • Response complete and returned from the API endpoint

    The first two have configurable timeouts, the Connect timeout and the Read timeout fields. For Connect timeout, if the timeout expires before the connection can be established, the login fails. For Read timeout, if the timeout expires before there is data available to be read, the login fails. The default values for these timeouts are typically adequate, but you may want to tune them if there is resource contention on your server.

    However, neither timeout prevents the HTTP request from taking as long as it needs to in order to respond once the API endpoint has begun to write bytes to the output stream. If a Connector is not correctly terminating the HTTP response or taking an excessive time to process the login request, then this can cause issues under load.

    You can avoid issues by having your API endpoint write login data and completely close the connection as quickly as possible. You can load test your Connector using [FusionAuth’s load testing framework](/docs/v1/tech/admin-guide/monitor#load-testing) or any other HTTP based load testing framework. Additionally, ensure the API endpoint is sized correctly and not starved of resources. If the user cannot be authenticated, you should return the appropriate status code and data as quickly as possible, as documented by the Login API. Using the correct status code for each response ensures that FusionAuth handles the response appropriately.

    Disable Logging

    Turning on the Connector’s Debug Enabled field during development is useful for troubleshooting. However, once you deploy a Connector to production, enable debugging only when troubleshooting. Debugging writes to the System → Event Log and this causes additional load on the database.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    © 2021 FusionAuth
    Subscribe for developer updates