Hi @rob-aitken ,

Thanks for using FusionAuth!

If you are seeing a 429 and are using FusionAuth cloud, you are being rate limited by our web application firewall. Our rate limits are not publicly available and may change over time, but are pretty generous. I'd check to make sure you are calling FusionAuth appropriately and/or using exponential backoff when getting a 429.

You can also file a support ticket using the account portal if that's helpful.

More information here: https://fusionauth.io/docs/v1/tech/installation-guide/cloud#captcha-and-rate-limits

@jvadaliya Hiya,

I think you need to call the hosted backend logout endpoint to delete the cookies it sets.

Thanks for using FusionAuth!

@apetrescu Sounds like a fun problem!

You are correct that entities are the best approach for this while staying entirely within FusionAuth. We don't have a lot of guidance on best practices around entities that I can share, unfortunately.

Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

You might think about making an intermediate entity such as CompanyAbcAdminRole or CompanyAbcManagerRole, which would have permissions for admin or manager actions on CompanyAbc. Then you could atomically grant or remove CompanyAbcAdminRole to a user while leaving CompanyAbcManagerRole assigned.

Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

Why would you need to do so? Is your user going to be accessing all the Companies at one time? In this case, I might offer the user the ability to choose a Company to 'enter' and create a JWT based on that action. You'd create an Company 'chooser' based on their grants to allow them to pick between the companies they know about.

If you'd like to discuss this more, consider talking to our sales engineers.

Another option is to, as you said, not use FusionAuth entities. You could instead use FusionAuth for authentication, then feed the resulting JWT into a solution like permit.io, cerbos or oso (or something home grown). You'd use that other system as the authorization solution.

Hope this helps.

When a user expires, login will fail with a 410 status code, but we do not treat this as a user deactivation. We do not yet have an event for user expiration, it really only keeps the user from logging in.

https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-deactivate

There are no hard limits as to the number of users you can add.

If you notice any load spikes, you can always batch the work into multiple API calls.

This is possible using the user API

https://fusionauth.io/docs/v1/tech/apis/users

First GET the current user, identify the two-factor method you want to disable. Below you can see where the twoFactor method has one called "authenticator"

Example:

{ "user": { ... "twoFactor": { "methods": [ { "authenticator": { "algorithm": "HmacSHA1", "codeLength": 6, "timeStep": 30 }, "id": "35VW", "method": "authenticator" }, ...

Remove the object for "authenticator" and then then make a PUT call against the same User object to update.

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Please note:

This will allow you to administratively remove a 2FA method from a specific user, and it will leave the recovery codes intact if there is at least one remaining 2FA method configured for the user. If you only have one configured method, and you remove it, the recovery codes will be cleared, and then re-generated next time you enable 2FA on the user.

You can customize the message the user will be presented within the messages bundle of a theme (Themes > Your Theme > Edit > Messages). In this case, you will want to modify the following message key.

[UserLockedException]=Your account has been locked. Please contact your system administrator.

You can modify this message to your requirements

[UserLockedException]=FooBarBaz

Your modification will be displayed to the end user.

found variables for other messages displayed to the user as part of the Login Flow, but not for the Account Lockout Message.

I find exporting the entire message bundle first (by "selecting all" <CTRL + A> from the admin UI) and then pasting the result in a code editor to find a message key is sometimes easier. We do have some adjacent documentation here.

For reference only, our Theme API is also available here

Yes, just as you can store custom data on a user, you can store custom data on a tenant.

It is the tenant.data field, as documented here.

However, the tenant.data field differs from `user.data in a number of ways:

it is not searchable it is not retrievable in the populate JWT lambda, except by using Lambda HTTP Connect

This is now documented here: https://fusionauth.io/docs/v1/tech/themes/client-side-password-rule-validation

@piotr

1.30.1

This is quite an old version of FusionAuth, just FYI.

Why FusionAuth calls IdP's /oauth2/token before it calls my callback if it does not keep access/refresh tokens?

FusionAuth does keep the refresh token.

What is this 43-character code FusionAuth sends to the callback if I can't use it for anything? Most importantly, I can't use it for fusionauth.io/api/identity-provider/login.

The login API and the Authorization code grant are two separate ways of logging the same user in. They have different strengths and weaknesses, but in general you can't move between them.

You should be able to provide that 43 character code to the /oauth2/token endpoint and get back a response.

Hope this helps!

@filippachucki2000 It's hard to give advice without knowing more, but if you have a proxy, make sure it is correctly configured:

https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup

Did you end up resolving this?

Hiya @vidur-punj !

Yup, you can do this with theming.

More here: https://fusionauth.io/docs/v1/tech/themes/

Hiya @johnmiller ,

FusionAuth uses Hikari to handle connection pooling. I'm not familiar with how they interact, but this SO answer seemed useful: https://stackoverflow.com/questions/56581582/hikaricp-apache-dbcp2-and-pgbouncer

If you are using PgBouncer, then you definitely don't need HikariCP around.

But unfortunately, FusionAuth can't be configured not to use HikariCP.

Can you explain why you need pgbouncer and how that's helping you?

Hiya @gregorio ,

Hmmm. That seems really weird. Did you ever sort this out?

@gcasson-ceo

I'm not familiar with Ionos, but if you can run a database and the OS is linux, windows or mac, you should be able to run FusionAuth.

Reading the system requirements will help you determine if the Ionos shared plan offers enough RAM and other resources: https://fusionauth.io/docs/v1/tech/installation-guide/system-requirements

@carlnapiercook Hmmm. Sorry about this.

Did you solve this? Can you recreate on a later version of FusionAuth?

Hiya @dobritos11 !

I assume you mean 1.32.1 as the version. Please let me know if I'm incorrect.

Which screen are you trying to edit the redirect URL from?

Any steps documenting what you are trying to do that you can provide would be helpful.

@alec-kustanovich I'm not quite sure what you are asking for here.

Are you talking about how to create the link to the SAML identity provider outside of FusionAuth?

Or are you talking in particular about the code that is provided to you at the end of the start API call, as documented here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#start-a-saml-v2-login-request

@udayvignan-varma Can you let us know what Callback URL you are trying to use? Also do you have the correct authorized URLs set up in your application in the development environment? Is there any more information available with the responses you are seeing?

@benjamin Hmmm.

I'm not quite sure what the issue is, because we do specify salted-pbkdf2-hmac-sha256-512 in the import script:

https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/keycloak/import.rb#L151

The migration guide says:

"The encryptionScheme for this plugin is salted-pbkdf2-hmac-sha256-512."

So when you write:

Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.

Do you mean that pbkdf2-sha256 is the value from Keycloak and it only worked when you used salted-pbkdf2-hmac-sha256 in FusionAuth, or something else?

What version of Keycloak are you migrating from?