@leandro-menagonzalez Sorry - I was traveling for a bit and then under the weather.

Were you able to resolve this?

If not, my understanding is that this would be a mapping problem. Essentially, Google would have to be instructed to send over a profile pic url, and FusionAuth would consume that in the AuthN response. Further, a reconcile lambda can be used to grab this URL attribute and store on the user, etc. Let me know if I am misunderstanding the issue.

Josh

@dan said in I really want a client library for <language X>:

All of our client libraries are open source (Apache2 license). At present we use this open source project to build them.

If you are interested in support for a language (let's say Lisp, because it's so cool 🙂 ), then take the following steps:

Search our github issues to make sure there isn't already a request (see C++ and Elixir). If there is an issue present, vote for it. If not, add one.

If you want to take a crack at building the Lisp library, please file an issue as above and indicate your desire to help. How it works:

We start with a JSON DSL to define each API ( https://github.com/FusionAuth/fusionauth-client-builder/tree/master/src/main/api ). We then build the code using a template, for example, here is the ruby template : https://github.com/FusionAuth/fusionauth-client-builder/blob/master/src/main/client/ruby.client.ftl This ruby template then produces the ruby client: https://github.com/FusionAuth/fusionauth-ruby-client / https://github.com/FusionAuth/fusionauth-ruby-client/blob/master/lib/fusionauth/fusionauth_client.rb So for Lisp, find the language most like it and then copy the client template (here's Ruby's), copy it to lisp.client.ftl and start hacking on it. This lets us keep the Lisp client library current for each of the API calls and we can build a new client each time we release. I use these libraries all the time, thanks. But I'm still not up to the task. I'm still getting in the way of this crazy college thing. It's good that there is an essay service they help me quickly, but not for free, although they have 24/7 support.

I use these libraries all the time, thank you

If you want to use FusionAuth to secure access to an application (running in Docker or elsewhere) that doesn't have any security, you can use a proxy to do so.

The proxy sits in front of the application and all traffic should go through it. When it sees an unauthenticated user, it forwards that user to FusionAuth, where the user logs in and generates a token. Then the user is forwarded back to the proxy. The token is parsed by the proxy and if the token is valid the user gets access.

This can be done in concert with any proxy that supports JWTs and OIDC.

I've heard of this being done with HAProxy and Kong. Here's an HAProxy tutorial. Here's a Kong tutorial. Here are instructions on how to do this with ngrok cloud edge, which may be useful for the overall flow even if you don't use that software: https://fusionauth.io/docs/v1/tech/developer-guide/api-gateways/ngrok-cloud-edge

Hope that helps.

Hmmm. I'm not quite sure what is going on. Have you been able to debug this?

@atakan , you wrote the linked forum post, did you run into this?

FusionAuth doesn't use a local mail queue at all. It connects to whatever mail server you have set up at the tenant level.

Here are some troubleshooting tips to try: https://fusionauth.io/docs/v1/tech/admin-guide/troubleshooting#troubleshooting-email

@quent We have a list of typical cookies set by the hosted login pages here: https://fusionauth.io/docs/v1/tech/reference/cookies

@craiglistt What particular issues are you having?

@anand-murugan-0 I run FusionAuth in ECS/Fargate. I don't know about the clustering side, but to make standing up a FusionAuth instance automated I needed to do 2 things:

enable Silent Mode https://fusionauth.io/docs/v1/tech/guides/silent-mode which skips the first boot / migration page. This required passing in database credentials as env vars, so that Fusionauth doesn't need to ask you for them.

Use a kickstart.json to configure an API key https://fusionauth.io/docs/v1/tech/installation-guide/kickstart#using-environment-variables

Adding a kickstart.json file to a docker image in ECS is a bit non-trivial (either with EFS or S3). So I made my own Dockerfile:

FROM fusionauth/fusionauth-app:1.38.1 ARG FUSIONAUTH_APP_KICKSTART_VALUE ENV FUSIONAUTH_APP_KICKSTART_FILE=/tmp/kickstart.json RUN echo ${FUSIONAUTH_APP_KICKSTART_VALUE} > ${FUSIONAUTH_APP_KICKSTART_FILE}

When running docker build, if you pass in an argument like

docker build \ --build-arg FUSIONAUTH_APP_KICKSTART_VALUE="{\"apiKeys\": [{\"key\": \"42\" } ] }" \ .

will build and write out a /tmp/kickstart.json file and tell Fusionauth to look at that path when it starts up. NOTE: any random value would work, I picked 42 for simplicity, don't use this in Production.

With those 2 things, ECS will start a Fusionauth instance that doesn't prompt for initial installation (assuming you pass in db credentials as environment variable) and will

Hi Guys,
Your reply helped me as well. Thank you. I'm still struggling with the issue of rewriting /admin when using subpath.
When I click login icon I'm redirected with 302 to $host/admin not $host/fa/admin
This happened after I updated my FA.

location /fa/ { proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'href="/admin/' 'href="/fa/admin/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; proxy_pass http://localhost:9011/; } location ~^/(?<fusionPath>(oauth2|admin|ajax|login|password|js/identityProvider))/ { proxy_pass http://127.0.0.1:9011/$fusionPath/; # https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup#how-to-use-a-proxy proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/admin' 'src="/fa/admin'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; }

the built-in domain blocking is documented here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#registration-domain-blocking

However:

It only blocks specific domains so you can't block 'all domains except ' It requires an enterprise license

As an alternative, consider a registration transactional webhook which could examine the domain provided by a user and fail if it didn't match a list of your domains: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create

Proxy servers can store cached copies of sites. You will get the data from the proxy when you access a particular location.

@sander

Thanks for the update. We're bummed that we can't include the mysql connector as part of the docker image.

If FusionAuth is stuck in maintenance mode, this thread might prove useful: https://fusionauth.io/community/forum/topic/135/can-t-get-by-maintenance-mode

Can you give me any more details about the issue?

Hi @cgonzalez

Can you confirm how quickly you are completing the exchange for a token using the code?

"auth_code_not_found"

The code may not be available if:

It has expired or It as already been used to obtain a token.

Thanks,
Josh

@pclark

Just checking in, albeit a bit later than anticipated. Was this resolved for you on the latest version of FusionAuth

-Josh

@leandro-menagonzalez

This can be solved by using client-side validation in your theme for the corresponding forgot password page. On the authorize page you would pull in JS to check the users email in any manner you see fit.

https://fusionauth.io/docs/v1/tech/apis/themes
https://fusionauth.io/docs/v1/tech/themes/

Josh

@trevorr said in Password change deletes sessions?:

If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.

Makes sense. Please feel free to open an GitHub issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

@dhait Yes.

You can create as many email templates as you want, typically using the admin UI or the email API: https://fusionauth.io/docs/v1/tech/apis/emails

Then, you assign them to tenants, using the Tenant admin UI or tenant API: https://fusionauth.io/docs/v1/tech/apis/tenants

You are probably going to be interested in the emailConfiguration object which has all the tenant email template Ids.