Topics created by mark.robustelli

This can be accomplished through using lambdas. You will want to create a lambda of type JWT Populate. The code will look something like this.

function populate(jwt, user, registration) { var urlToFetch = "http://localhost:9012/api/entity/grant/search?userId=" + user.id; var response = fetch(urlToFetch, { method: "GET", headers: { "Content-Type" : "application/json", "Authorization" : "this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works" } }); if (response.status === 200) { jwt.entityInfo = JSON.parse(response.body); } else { console.error("Error: " + response.status + " " + response.statusText); } }

The go to your application in the admin UI and under the JWT tab, under the Lambda settings section assign that lambda to the 'Access Token populate lambda'

A few things to keep in mind:

Please note the use of port 9012 when calling the API from the lambda. From the documentation "Use port 9012, or the configured value for fusionauth-app.http-local.port, whenever making a FusionAuth API call in a lambda. Doing so minimizes network traffic contention and improves performance." As of this post, you will need the Essentials license for the HTTP Lambda Connect feature.

So, to call the user registration form, one just needs to:

Remove any calls to prefetchConfiguration() Pass every needed URL (authorize, token and logout endpoints) to a serviceConfiguration object Call the authorize() method but use the custom /oauth2/register endpoint
Here's a sample code: // Configuring FusionAuth const fusionAuthConfig = { issuer: "your.fusionauth.url", clientId: "Your application's Client Id", redirectUrl: "com.your.app://oauthredirect", scopes: ["openid", "offline_access"], serviceConfiguration: { authorizationEndpoint: "https://your.fusionauth.url/oauth2/authorize", userRegisterEndpoint: "https://your.fusionauth.url/oauth2/register", // This will be used down below tokenEndpoint: "https://your.fusionauth.url/oauth2/token", endSessionEndpoint: "https://your.fusionauth.url/oauth2/logout", }, }; // And then, in your component, replace the URL in authorizationEndpoint // with the one in userRegisterEndpoint and call authorize() const config = {...fusionAuthConfig, ...{ serviceConfiguration: { ...fusionAuthConfig.serviceConfiguration, authorizationEndpoint: fusionAuthConfig.serviceConfiguration.userRegisterEndpoint, }, }}; const authState = await authorize(config);

More detail can be found here: https://github.com/FusionAuth/fusionauth-issues/issues/2435

It is likely that the link for the password has simply expired, meaning it will no longer work. There could be two possible explanations.

You may want to review the timeouts that you have established for your Forgot Password Workflows Tenants > Your Tenant > Advanced > Change password to ensure that you are satisfied with their duration.

The user sent themselves two password reset emails in a row. The first password reset link sent would be invalidated (expired) when the second request for a password reset is submitted by the user. If the user then clicked on the first password reset link (in their inbox), then they would have seen an expired message.

They run in AWS.

FusionAuth increments each release using semantic versioning.

So after 1.5 comes 1.6, then 1.7, then 1.8, then 1.9, then 1.10, then 1.11.

So 1.5 is about 40ish versions behind 1.47.1.

@mculley, did this work for you as well after you recreated the tenant again?

JDK 17 turned off RSA-SHA1 XML signature support. It can be re-enabled by modifying java.security file in the JDK conf/security folder.

This is addressed in the release notes and Github issue 1814.

Managed domains are only available with the SAML and OIDC providers, not other kinds of identity providers (like Apple, etc)

If you are interested in which features of FusionAuth are premium, please see FusionAuth Premium Features.

You can achieve it by configuring an IdP with a managed domain.

For example, you can configure an OpenID Connect IdP (it doesn't have to have real values) and configure a managed domain for something that won't match anything practical such as no-match-domain.com. If this IdP is enabled it will cause FusionAuth to ask for the email separate from the email address.

*This will only work for SAML and OIDC Idps, not other kinds like Apple, etc. as managed domains are not supported.

Depending upon your use case, there are a few ways to get at that data.

You can use a JWT Populate lambda to add additional claims to the JWT from values stored inside user.data. You can then access these claims in the JWT after you validated it decode it yourself. Or, if you use the FusionAuth UserInfo endpoint, we will return the claims in a JSON response after we validate the token.

*Keep in the JWT Populate lamda you can add whateve you want. Any custom claims added to the JWT will then be returned by the UserInfo endpoint. In most cases it is better to keep the JWT small.

You can use the OAuth2 access token (JWT) to retrieve the user with the User API. This will return the entire user object include anything stored in user.data. This is done by making a GET request to the User API and providing the token in the Authorization header Authorization: Bearer <encoded JWT>

Make sure you these 4 headers in your proxy

Forwarded-Proto: typically this will be https. This ensures any redirects are sent with the appropriate scheme. Forwarded-Host: The original host requested by the client in the Host HTTP request header. Forwarded-For: The originating IP address of the client. Forwarded-Server: The hostname of the proxy server.

One option would be to use Events & Webhooks. Depeneding on what you want to track, you may be interested in the following events:
-[user.registration.create]
-[user.registration.complete]
-[user.registration.verified]

You could also enable the email verification gate. Then you could call your tracking event on this themed page which would only be fired when the user exits the Email Verification gate as the result of completing their email verification during registration.

Another option may be to add an UTM code to the redirect_uri used for self-service registration and consume that in your application as the result of a user completing registration.

It depends on how you setup the database. FusionAuth only needs compute nodes (easy to have in multiple regions) and a postgresql or mysql database (which supports foreign keys, so things like planetscale are out). If you set up an active-active db, it should work. Be sure to load test it and validate.

Yes, if you have API access. Please find the documentation here: Passwordless APIs

The process would go like this:

Call Start /api/passwordless/start, capture the code code. Call Login /api/passwordless/login with code Get a JWT and do with it what you normally would

For a Two Factor setup you would:

Call Start /api/two-factor/start consume code Call Login /api/two-factor/login with code Get a JWT

If the end user never needs to log themselves in, you may also consider:

Assign a random application password to a user. Use that known password to call the Login API Get a JWT! Optionally remove the application password if you want it to be a one time use password.

This does have the issue of not creating an SSO session for the user, but that may not be a problem. (If someone logs in this way, and then goes to another application which has a login page managed by the 'hosted login pages' of FusionAuth, they won't be automatically logged in.)

You will have to add the key to your FusionAuth instance as in this post.

In the FusionAuth admin page, got to Settings --> Key Master
e1482d56-5555-4d96-9c6a-1eeef98f87d2-image.png

Click "Generate EC key pair"
90f479ab-302c-4660-8157-03e3a8bfe58e-image.png

Fill in the information - I used JWT Signature - Asymmetric RSA Key Pari (RS256) for the name
5b7ddb83-c764-4000-87f8-cc3384d05429-image.png

Go to to Applications in FusionAuth admin and select edit on your application.

Select the JWT tab

Select Enabled
b6505e8e-1e2b-46c1-bfa6-56d7bfa0a5ba-image.png

In the JSON web token settings select the key you created in the above step.
becb03a2-81bf-4f1e-be82-34526e8c410f-image.png