Users

Session Details

A session can be created by using the Login API, as long as Generate refresh tokens is enabled, or by completing the OAuth Authorization Code grant when the offline_access scope is requested.

A session will end when:

• It expires.

• It is deleted using the JWT APIs.

• Optionally, as a result of a user changing their password or having their account locked.

These can be configured in the Tenant Refresh Token settings or the Application Refresh Token settings.

An SSO session will end if you log out of SSO.

When a session is no longer valid, the associated refresh token can’t be used to create new JWTs.

The JWTs themselves are valid until they expire.

Configuration

Please see our search core concepts section for additional information on basic configuration. The remainder of this section will cover specifics as it relates to users and search.

Database Search Engine

This configuration is lightweight, simplifies installation and system complexity, but comes with the trade offs of limited search capabilities and performance implications.

The database search engine enables fuzzy search against the following fields of the user:

• firstName

• lastName

• fullName

• email

• username

To learn more about the database search engine in general, view the search core concepts section.

Elasticsearch Search Engine

Leveraging Elasticsearch for the user search engine enables advanced search capabilities on more numerous and granular data and a performance improvement for user search.

Advanced Search UI

FusionAuth provides an advanced user search interface that reveals how you may construct queryString and query parameters for the User Search API and User Bulk Delete API with desired results. Navigate to Users from the left navigation and click on the "Advanced" link below the Search input field to begin. The "Advanced" portion of this UI is available when the search engine type is configured to elasticsearch.

We provide selectors for common search fields, as well as a free-form search field for constructing complex search queries. By selecting the Show Elasticsearch query toggle, you will see either the Elasticsearch query string or JSON search query that can be used as queryString and query parameters for the User Search API and User Bulk Delete API.

Additionally, you may enter Elasticsearch query strings or raw JSON queries into the search field for testing purposes.

The following screenshot shows a query string being constructed to search for users that belong to the Moderators group and are in the Default tenant:

When searching for users by application or any fields on an application, it is necessary to construct a JSON query due to the way the Elasticsearch mapping is defined.

The following screenshot shows an Elasticsearch JSON query being constructed to search for users that match the email pattern *@fusionauth.io, are registered to the Pied Piper application, and are assigned the dev role:

To learn more about the Elasticsearch search engine in general, view the Elasticsearch search guide.

Tenants

Each FusionAuth tenant is a logical grouping of users, configuration and applications. Users are tenant scoped. This means a user with the same identifier (email, username, etc) in two different tenants is a different user. They can have different passwords, different identity provider links and different attributes. You can search for users across tenants using the User Search API.

An example use case is a private label todo SaaS application, where you want a user to sign up for two or more different instances of your SaaS and not know that there is a shared identity store behind them. For example, richard@piedpiper.com can sign up for the Pied Piper Todo application and the Hooli Todo Application with the same email address, but different passwords, MFA methods and more.

One issue is that if you have admin users, such as customer support representatives, which need cross-tenant access, you can’t keep their accounts in sync. One option is to set up an administrative identity server, whether that is a second instance of FusionAuth, Google GSuite, or Azure AD. Have the customer service representatives authenticate with it.

Learn more about Tenants.

Applications and Registrations

Applications in FusionAuth represent something you can log in to. They are tenant scoped. You associate a user with an application via a registration. You may also optionally associate one or more roles with each user’s registration.

An example use case is a single company, where you have a forum, a todo application and an accounting application. If you have three users, Richard, Monica and Jared, you can grant Richard access to all three applications, Monica access to the forum and todo applications, and Jared access to the accounting application.

Prohibit a user from logging into an application for which they are not registered by checking the claims in the token or enabling the Require registration setting for the application.

Applications also may have associated Identity Providers, such as Google or OIDC providers. When so configured, a user may log in to an application with the Identity Provider.

Every user object contains an array of application registrations. You can search for all users with a given registration.

Learn more about Applications.

Groups

Groups are a way to group users in FusionAuth. They are tenant scoped. They may have application roles associated with them. Users with a registration for an application as well as a group membership will assume those roles upon login.

Group membership is boolean in nature. A user is either in a group or out of a group.

An example use case is a forum moderators group. The forum application can get the group memberships of any user. If the user is a member of the moderators group, the application can provide a 'flag' button on the forum software.

Every user object contains an array of group memberships. You can search for all users with a given group memberships.

One issue is that to get the group names of memberships for a user, you must use FusionAuth’s proprietary APIs. Group names are not included in the user object.

Learn more about Groups.

Entities and Grants

Entities and grants allow you to model fine grained permissions in a flexible manner. Entities are things, while grants are expressions of permissions granted to a user or thing to another thing. Entities have configurable permissions. Entities are a good fit when you have users that may need access to different assets which can’t be easily modeled as applications.

An example use case which could be modeled using entities is GitHub organizations. A user can belong to zero or more GitHub organizations and have different access levels in each one. But a user logs in to GitHub, not to a GitHub organization. Additionally, permissions will vary between organizations. A user may be an admin in one GitHub organization and have read-only access in another one. To implement this, you’d represent each GitHub organization as an entity in FusionAuth, and grant users permissions to each organization of which they are a member.

It is very common to have an interstitial page when using entities. (This page is custom built and is not provided by FusionAuth.) The user logs in to an application, and is then presented with a list of entities to which they’ve been granted permissions. The user selects an entity and then acts within the confines of that entity.

You can search for all users granted access to a given entity. You can search for all entities for which a user has a grant.

One issue is that to search for grants on a user, you must use FusionAuth’s proprietary APIs. Additionally, since entities cannot be 'logged into', they don’t have any relationship with external Identity Providers.

Learn more about Entities and Grants.