maciej.wisniowski

I can confirm it works properly in the latest version. Thank you very much for the quick help!

@fred-fred You can customize the templates (eg macro body in helpers.ftl) in your theme like this:

[#if application?? && application.name?? && application.name == "MyApp1"]
       this is myapp 1 login screen
[#elseif application?? && application.name?? && application.name == "FusionAuth"]
       this is FusionAuth login screen
[#else]
       this is something else
[/#if]

@richb201 with docker you can use environment variables to configure FA: https://fusionauth.io/docs/v1/tech/reference/configuration/

For example (from docker-compose config):
FUSIONAUTH_APP_RUNTIME-MODE: development
FUSIONAUTH_APP_SILENT-MODE: "true"

I don't think this is possible with environment variables as SMTP configuration is managed per tenant. You can use kickstart to configure it, eg.:

{
      "method": "PATCH",
      "url": "/api/tenant/#{your_tenant_id}",
      "body": {
        "tenant": {
          "name": "My Tenant name",
          "issuer": "example.com",
          "themeId": "#{my_theme_uid}",
          "emailConfiguration": {
            "defaultFromEmail": "no-reply@example.com",
            "defaultFromName": "Blah",
            "host": "mailhog",
            "password": "",
            "port": "1025",
            "security": "TLS",
            "username": "",
            "forgotPasswordEmailTemplateId": "#{forgot_password_email_id}"
          }
        }
      }
    },

Github issue: https://github.com/FusionAuth/fusionauth-issues/issues/632

Ah.. seems I've made a typo, please try with all underscores in FUSIONAUTH_APP_SILENT_MODE (instead of FUSIONAUTH_APP_SILENT-MODE).

Answering to myself, as I've found the information regarding this issue in the docs. Seems "sticky sessions" is the way to go.

https://fusionauth.io/docs/v1/tech/installation-guide/server-layout

"In this scenario FusionAuth should be placed behind a load balancer to utilize both services equally. Session pinning should be utilized to support stateful sessions to FusionAuth"

Answering to myself. Seems I can do the following:

[#if request.getParameter('custom_parameter')??]
          [#global custom_parameter = request.getParameter('custom_parameter')?string /]
          [@helpers.hidden name="custom_parameter" /]
[/#if]
</form>

which just passes the parameter in the input field making it available after the form submit

Hello

My setup consists of 3 virtual machines running database, FusionAuth & elasticsearch in a clusters plus a load balancer:

vm1: PostgreSQL DB (shared)
vm2: FusionAuth node1 + Elasticsearch node 1
vm3: FusionAuth node2 + Elasticsearch node 2
LoadBalancer

The problem is that every few requests I'm logged out of the FA management panel. It seems to happen when the load balancer directs the request to the FusionAuth node different than the one used for the previous requests. I can see that JSESSIONID cookie gets changed when I'm logged out. Turns out FusionAuth instances are not sharing the user session, is this correct?

The quick fix is to make the load balancer use "sticky sessions" but I wonder if this is the correct way to resolve this. Maybe I have something wrong with the FA configuration?

Hi,

If you have any other user account that has an admin role with the FusionAuth application then use this account to set the 'admin' role for your user (as the error message says).

If there is no other useable admin account then seems something is screwed up (wondering how it is possible). You might try the API to update the registration for your user.

If you don't have proper credentials for the API then I would try connecting directly to the database to find out if it is possible to add the role for the user there.

@duke have you tried the following (move username and password to another env variables):

DATABASE_URL=postgres://top2.nearest.of.host_name-db.internal:5432/db_name
DATABASE_USERNAME=the_name
DATABASE_PASSWORD=LtMvptwX

@joshua I've tried with the FA 1.32.1 and I think I've found the source of the problem.
Turns out I had my Forgot Password Email template a bit old (AFAIR based on the template from 1.27.2).

Because of this, the URL to reset the password (in the email template) was generated like:

https://#{FA_DOMAIN}/password/change/${changePasswordId}?tenantId=${user.tenantId}

In the newer versions of FA it was changed to:

[#assign url = "https://#{FA_DOMAIN}/password/change/${changePasswordId}?client_id=${(application.oauthConfiguration.clientId)!''}&tenantId=${user.tenantId}" /]
[#list state!{} as key, value][#if key != "tenantId" && key != "client_id" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
${url}

The point is that with the new version we have extra parameters in the URL like client_id, redirect_uri and a few others. Everything works properly with the new syntax. If these new parameters are missing (I suppose the main issue is lack of the client_id) FA triggers error 500 after password reset (for the users that are not registered in the application that generated the password reset e-mail).

The most recent version of FA triggers a more detailed error message in the log than the previous one and this helped me a bit to track the problem:

2022-01-11 4:19:10.373 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.NullPointerException: Cannot read field "oauthConfiguration" because "this.application" is null
   at io.fusionauth.app.action.oauth2.BaseOAuthAction.handleInteractiveLoginResponse(BaseOAuthAction.java:548)
   at io.fusionauth.app.action.oauth2.BaseOAuthAction.callLogin(BaseOAuthAction.java:447)
   at io.fusionauth.app.action.password.ChangeAction.post(ChangeAction.java:121)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.base/java.lang.reflect.Method.invoke(Method.java:568)
   at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:414)
   at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:79)
   at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:62)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:44)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:91)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:64)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at io.fusionauth.app.primeframework.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:51)
   at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:51)
   at io.fusionauth.app.primeframework.FusionAuthMVCWorkflow.perform(FusionAuthMVCWorkflow.java:86)
   at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
   at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
   at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:78)
   at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:63)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:196)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
   at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
   at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
   at java.base/java.lang.Thread.run(Thread.java:833)

I'm not sure if this can be considered a bug in FA? What do you think?

BTW. Is this normal that if the kickstart file is used then no default email templates are generated at all?

@minhngocnguyenduy maybe using lambdas can help?

@joshua yes, I still have this issue on a few instances of FA while trying to change password for the user that is not registered in the specific application. If you're not able to reproduce this I can try to create a kickstart script to recreate the problem

@developers in your case the error message is pretty self-explanatory. The problem is just a lack of [[singleCase]user.password] message in your theme. Just add this message to your theme and it should work

@joshua any chance you had some time to look at this? Is this reproducible on your end?

@engineering-0 Try this:

users = []
for user in User.objects.all():
  user_data = {}
  ...
  encryption_scheme = "salted-pbkdf2-hmac-sha256"
  algorithm, iterations, salt, password_hash = user.password.split('$')
  salt = base64.b64encode(salt.encode('utf-8')).decode('utf-8')

  user_data['password'] = password_hash
  user_data['encryptionScheme'] = encryption_scheme
  user_data['factor'] = int(iterations)
  user_data['salt'] = salt
  users.append(user_data)

@psmiddy I've never heard about vitess but seems that your DATABASE_URL should point to vitess-test-8_0 not to localhost. Also, I think the port number can be just 33807 as it should be available internally in docker (ports: directive just publishes specific ports to localhost, eg. if you need to connect to docker from your desktop). Try:

DATABASE_URL: jdbc:mysql://vitess-test-8_0:33807/fusionauth

@fred-fred You can customize the templates (eg macro body in helpers.ftl) in your theme like this:

[#if application?? && application.name?? && application.name == "MyApp1"]
       this is myapp 1 login screen
[#elseif application?? && application.name?? && application.name == "FusionAuth"]
       this is FusionAuth login screen
[#else]
       this is something else
[/#if]

@joshua I think I've found the pattern to reproduce this issue.
Basically, it fails if the user I want to reset the password for is not registered in the application whose client_id is used during password reset flow. It works for the application where the user has a valid registration.

To reproduce:

Create new tenant: Tenant1
Create two Applications for Tenant1: application1 and application2 using https://example.com as redirect_uri
Create user: user1 for Tenant1
Create registration for user1 in application1
Open the authorize URL for application2 like:
https://<FUSIONAUTH_URL>/oauth2/authorize?client_id=<CLIENT_ID_OF_APPLICATION2>&scope=openid%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fexample.com&tenantId=<TENANT_ID>
Click Forgot your password
Check you e-mail and click the password reset link
Try to change the password
It should fail at this point.

You can now check the same for application1 (with the user registration) to see if it works.

I'm very curious if you can reproduce this too.

maciej.wisniowski

@maciej.wisniowski

Best posts made by maciej.wisniowski

Latest posts made by maciej.wisniowski