Generic Connector
Overview
Generic Connectors allow you to authenticate users against or migrate them from any user datasource accessible over HTTP or TLS.
Configuration
Form Fields
- Id Optional
-
An optional UUID. When this value is omitted a unique Id will be generated automatically.
- Name Required
-
A unique name to identify the Connector. This name is for display purposes only and it can be modified later if desired.
- Authentication URL Required
-
The fully qualified URL of the API endpoint. The connector will send an HTTP POST request to this URL to authenticate the user. The format and status code returned will be identical to the Login API.
- Connect timeout Required default is
1000 -
The connect timeout in milliseconds used when making the POST request.
- Read timeout Required default is
2000 -
The read timeout in milliseconds used when making the POST request.
- Debug enabled Optional default is
false -
Enable debug to create an event log to assist you in debugging integration errors.
Security
The security settings may be used to require authentication in order to make the POST request to the authentication endpoint.
Form Fields
- Basic auth username Optional
-
The username to be used for HTTP Basic Authentication.
- Basic auth password Optional
-
The password to be used for HTTP Basic Authentication.
- Certificate Optional
-
The SSL certificate to be used when connecting to the POST endpoint.
If you need to add a certificate for use with this connector, navigate to and import a certificate. The certificate will then be shown as an option in this form control.
Headers
You can configure arbitrary headers to be added to the HTTP POST request when making a request to the configured authentication endpoint.
Form Fields
- Name
-
The name of the header to add to the HTTP request when authenticating.
- Value
-
The header value to add to the HTTP request when authentiationg.
Using the Generic Connector
To use a Generic Connector:
-
Build a Generic Connector API endpoint in your application to expose your user data.
-
Configure the Connector in , including securing the endpoint.
-
Add the Connector Policy in to configure to which domains the connector applies.
Request
The request to your API endpoint will be delivered as JSON:
{
"loginId": "example@fusionauth.io",
"password": "password",
"applicationId": "10000000-0000-0002-0000-000000000001",
"noJWT" : false,
"ipAddress": "192.168.1.42"
}Your application will then look up the user and verify the correct credentials were provided. Then you can return the response.
Response
Your API should return a valid FusionAuth user object with status code 200 if the user is found and authenticated. Note that while you may return any of the attributes of the user object, only the required ones must be returned.
If the user cannot be authenticated, you should return the appropriate status code and response data as documented by the Login API.
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo",
"user": {
"active": true,
"birthDate": "1976-05-30",
"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
"data": {
"displayName": "Johnny Boy",
"favoriteColors": [
"Red",
"Blue"
]
},
"email": "example@fusionauth.io",
"expiry": 1571786483322,
"firstName": "John",
"fullName": "John Doe",
"id": "00000000-0000-0001-0000-000000000000",
"imageUrl": "http://65.media.tumblr.com/tumblr_l7dbl0MHbU1qz50x3o1_500.png",
"lastLoginInstant": 1471786483322,
"lastName": "Doe",
"middleName": "William",
"mobilePhone": "303-555-1234",
"passwordChangeRequired": false,
"passwordLastUpdateInstant": 1471786483322,
"preferredLanguages": [
"en",
"fr"
],
"registrations": [
{
"applicationId": "10000000-0000-0002-0000-000000000001",
"data": {
"displayName": "Johnny",
"favoriteSports": [
"Football",
"Basketball"
]
},
"id": "00000000-0000-0002-0000-000000000000",
"insertInstant": 1446064706250,
"lastLoginInstant": 1456064601291,
"preferredLanguages": [
"en",
"fr"
],
"roles": [
"user",
"community_helper"
],
"tokens": {
"Facebook": "nQbbBIzDhMXXfa7iDUoonz5zS",
"19544aa2-d634-4859-b193-e57af82b5d12": "eu1SsrjsiDf3h3LryUjxHIKTS0yyrbiPcsKF3HDp"
},
"username": "johnny123",
"usernameStatus": "ACTIVE"
}
],
"timezone": "America/Denver",
"tenantId": "f24aca2b-ce4a-4dad-951a-c9d690e71415",
"twoFactorEnabled": false,
"usernameStatus": "ACTIVE",
"username": "johnny123",
"verified": true
}
}Security
TLS v1.2
The first step in securing your Generic Connector API endpoints is to ensure that they are using TLS v1.2 or higher. You should be using a web server that is configured with a certificate from a valid certificate authority and to only receive traffic from a secure connection. We also recommend that you disable all older secure protocols including SSL, TLS 1.0 and TLS 1.1.
If you need a certificate, most cloud providers offer them or you can use LetsEncrypt to generate a certificate and ensure it is always up-to-date.
Headers
When you configure your Generic Connector API endpoint with FusionAuth, you should include a security header of some kind. There are two ways to define a security header:
-
Add a Basic Authentication username and password under the tab
-
Define an HTTP header under the tab
In either case, your Generic Connector API endpoint code should validate the security header to ensure the request is coming from FusionAuth. Here’s some example code that validates an Authorization header:
router.route('/fusionauth-user-api').post((req, res) => {
const authorization = req.header('Authorization');
if (authorization !== 'API-KEY') {
res.status(401).send({
'errors': [{
'code': '[notAuthorized]'
}]
});
} else {
// process the request
}
});Certificates
You may provide an x.509 certificate to use with your Generic Connector API endpoint. This must be an SSL certificate previously added to the Key Master. It is used to establish a TLS connection to the Generic Connector API endpoint endpoint. Use this option if FusionAuth cannot connect to your Generic Connector API endpoint without the certificate.
Providing this certificate will build a custom SSL context for requests made for the Generic Connector API endpoint. Therefore, any other JDK keystores and certificate authority chains will be bypassed for this request.
Firewalls
In addition to using TLS and a security header, you might also want to put a firewall in front of your Generic Connector API endpoint. In most cases, this firewall will only allow traffic to your Generic Connector API endpoint that originated from your FusionAuth instance. Depending on how you are hosting your Generic Connector API endpoint, you might be able to lock down the URL for your Generic Connector API endpoint specifically. You might also leverage an API gateway or a proxy to ensure that only traffic coming from FusionAuth is routed to your Generic Connector API endpoint. The exact specifics of deploying and configuring a Firewall are outside the scope of this document, but you can consult the documentation for your proxy, API Gateway or hosting provider to determine how to manage it.
As an example, you can configure an AWS Application Load Balancer so that traffic coming from the IP address of your FusionAuth servers with a URL of https://apis.mycompany.com/fusionauth-user-api is routed through. You can then configure the Application Load Balancer so that all other traffic to that URL is rejected.