I'd like to update the user data object in the UI. I know I can do it via the API: https://fusionauth.io/docs/v1/tech/apis/users
dan
@dan
Head of Developer Relations at FusionAuth.
Enjoys ruby, java, php. Finds golang challenging.
Likes the authorization code grant, automation, stories and clear documentation.
Hiker, camper, gardener. Used to have chickens, now just tomatos.
Best posts made by dan
-
Is there a way to update user data in the UI?
-
Can I configure the inactivity timeout of the FusionAuth Session cookie?
I have a quick question about FusionAuth and configuring the inactivity timeout of the session cookie it creates. Specifically... Is it possible?
-
Terraform provider for FusionAuth released
There's now an open source terraform provider available: https://github.com/gpsinsight/terraform-provider-fusionauth
It's also on the registry: https://registry.terraform.io/providers/gpsinsight/fusionauth/latest
-
RE: Block authentication until user is verified?
Is modifying the JWT via a lambda equivalent to accessing the verified property of the user profile?
Within a lambda, you have access to the user and registration properties. So you'd pull the
verified
property from wherever you wanted and put it into the JWT as a custom claim. Here's a blog post about how that might work.So yes, it is the same data. It's the tradeoff between a bigger JWT and having to make the additional call from your API.
Don't forget that the JWT will live for a while, so if this sequence happens and you use the JWT, you might have a user with a verified email prevented from using the API.
- user registers
- JWT issued, with
verified
set tofalse
because the user isn't verified. - User verifies their email
- User visits API, but is denied because the JWT has stale data.
I don't know timelines and how long your JWTs live for, but this is something to consider. Does that answer your question?
-
RE: My JWKS are always empty
Symmetric keys are not returned on the JWKS endpoint, as they don't have a public key. Per the docs this api:
returns public keys generated by FusionAuth, used to cryptographically verify JWTs using the JSON Web Key format
If you create an RSA or EC key which is an asymmetric key pair - the public key will be returned on the JWKS endpoint. If you don’t have any key pairs configured , it will be empty. Out of the box, you’ll only have one HMAC key which we don’t publish in JWKS.
-
RE: Implementing a Role-Based Access System for Authorization
Ah, I just tested this out and if you don't need it in the JWT, you should be able to see it in the registrations object returned after login.
Here's a response I get after logging in:
{ "token": "ey...", "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "email": "email@example.com", "id": "2df13f18-01cc-48a4-b97a-2ab04f98d006", "insertInstant": 1592857899119, "lastLoginInstant": 1596819645662, "lastUpdateInstant": 0, "passwordChangeRequired": false, "passwordLastUpdateInstant": 1592857899145, "registrations": [ { "applicationId": "78bd26e9-51de-4af8-baf4-914ea5825355", "id": "73d2317b-d196-4315-aba2-3c205ed3ccae", "insertInstant": 1592857899151, "lastLoginInstant": 1592857899153, "lastUpdateInstant": 1596813810104, "roles": [ "Role1" ], "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "1de156c2-2daa-a285-0c59-b52f9106d4e4", "twoFactorDelivery": "None", "twoFactorEnabled": false, "usernameStatus": "ACTIVE", "verified": true } }
So
user.applicationId.roles
is what you want. Note that roles are applied on an application by application basis. If a user is in a group which has a role 'roleA' which is created in 'applicationA', but is not registered for 'applicationA', they won't receive that role. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/groups -
RE: Trouble getting the user object post login
OK, we just released 1.18.8 and that is the version you want to use:
In
requirements.txt
:fusionauth-client==1.18.8
And then this is the call you want to make (with
client_id
beforeredirect_uri
) :resp = client.exchange_o_auth_code_for_access_token(request.args.get("code"), client_id, "http://localhost:5000/oauth-callback", client_secret)
-
RE: Specifying password during user registration.
Hiya,
First off, we'd recommend having all the flow you outline be over TLS. That's good enough for most major ecommerce systems and so shouldn't be insecure. If you aren't serving your application over TLS, then I'd advise doing so. And note that the flow is actually:
My Frontend
-->My Backend
-->FusionAuth API
There's no password returned from the registration API call.
If you are concerned about a new user's password being insecurely transmitted through your application, you could use the FusionAuth hosted login pages and theme them to be like your application. (More docs.)
The other option, which takes encrypted passwords, is the Import Users API, but that's probably not a fit for one off registrations. There are no plans to accept encrypted passwords for one off user registrations. Here's a related issue you can weigh in on/vote up if you'd like. Or feel free to open a new issue if that one doesn't capture the essence of your idea.
Are there specific security concerns you have around your front end/back end systems that I might be missing?
Latest posts made by dan
-
RE: More flexibility around the FusionAuth hosted backend
The hosted backend is designed to cover a number of use cases, but is not very configurable.
If you need more control over the backend, it's suggested you stand up your own application backend to do the token exchange and set the cookies or otherwise store the access token. Many frameworks will take care of this for you.
FusionAuth has provided a sample express application that has the same functionality as the hosted backend and can be extended. For example, to change the domain of the cookie set, you can modify the cookie setting code here.
-
More flexibility around the FusionAuth hosted backend
We're using the FusionAuth hosted backend but want some more flexibility around the cookie names, domain and expiration times.
What is the best way to get that? File an issue? Raise a support ticket?
-
RE: API Keys page 500
@cierzniak I think you found a bug! @spencer filed an issue that looks related.
https://github.com/FusionAuth/fusionauth-issues/issues/2738
There's a workaround in the issue, which involves deleting a cookie.
Can you please try that and let us know if that resolves it?
-
RE: Registration verification dead end
The best way to solve this is to use a
<meta>
element with itshttp-equiv
set toRefresh
in the<head>
of the page.When the page is displayed, the browser will go the indicated URL.
The
Verify registration complete
template can be updated like this, for example:[@helpers.head] [#-- Custom <head> code goes here --] <meta http-equiv="Refresh" content="0; URL=https://google.com/" /> [/@helpers.head]
-
Registration verification dead end
When verifying a registration by following an email link, the user will ultimately end on a Registration verification complete page. This is a dead end page. Can the user be sent to a login screen for example?
-
RE: Access google calendars of multiple google accounts (with user permission)
@alex-3 I'm a bit unclear on what you are trying to do.
Can you outline the exact steps you want to take?
-
RE: Access google calendars of multiple google accounts (with user permission)
Sure!
This is a case of Third-Party Service Authorization where your application is trying to access data on behalf of users held by another party (Google in this case).
This will require some integration work on your part, but the basic steps are:
- Integrate your application with FusionAuth (our quickstarts are a good place to start). Make sure you check the 'keep me signed in' value set, using a hidden field.
- Set up an Identity Provider. You don't want to use the Google Identity Provider because it doesn't support the
prompt
URL parameter.- Use the OIDC Identity Provider with the
prompt
parameter set toselect_account
to let the users pick different accounts, and make sure you setaccess_type
tooffline
to get a refresh token. More here. - Set the
Linking strategy
toPending
. - You'll also need to set up your Google scopes correctly. Based on your question, you'll want to use
https://www.googleapis.com/auth/calendar.events.readonly
as an additional scope. - You'll want to follow the Google Identity Provider instructions insofar as they pertain to navigating the Google Cloud Console.
- Use the OIDC Identity Provider with the
- Create an 'connect your account with google' button in your application. This should point to the OIDC Identity Provider. You can use an
idp_hint
to send the user directly to Google when they click it. - After they return from google, having selected their account, they should be logged in to your application. (It's possible with
Pending
they'll be prompted to login to your application again, but I don't think so. Would have to test.) They'll also have a link that is accessible via the Link API. That link will contain the refresh token in thetoken
field.- You can also iterate all the links in your application using one of our client libraries to display to the user which google accounts they have connected.
Now you have connected 1 or more Google accounts to a FusionAuth account.
Next, when you want to retrieve calendar events for your application to process, take these steps:
- Call the Links API for the user to retrieve all the links
- Retrieve the Google refresh token from the
token
field - Get a fresh access token using the Refresh grant
- Use the access token to retrieve the event data using either the API or a Google SDK.
- ... profit!
If the refresh token has expired (you don't get back a valid access token), inform the user and have them go through the authorization process again.
Hope this helps.
-
Access google calendars of multiple google accounts (with user permission)
Hiya,
We have a situation where we have users. Each user has 1 or more Google accounts. We want to be able to read events from a calendar using Google APIs.
Is this something that FusionAuth can help with?
-
RE: Is it possible to limit the number of devices a user can login with?
This might be useful for visitors in the future: https://fusionauth.io/docs/extend/examples/device-limiting
-
RE: how to implement user invitation
Hiya @kasir-barati ,
You can certainly use just a subset of known invite codes. In that case, no need to store the codes on the user.
Instead, add an array of codes in the self-service registration lambda and have a step check to see that the user provided code value matches one of the known values in the array.