fusionauth / fusionauth-site Goto Github PK

i'm wondering about the relationship between User.verified and Registration.verified for that same user. Also Registration.skipRegistrationVerification vs Registration.skipVerification.

• It would seem that user verification means we know their email address is verified, and that registration verification means that the user confirms that they have indeed initiated the registration.
• If a registration requires verification, does a user's clicking the registration verification link implicitly set User.verified to True as well, since that was the email address for the registration? The docs indicate something similar for Registration.sendSetPasswordEmail
• would requiring registration verification and email verification send two separate emails to the user?
• What effect, if any, does Registration.verified have, if false? Should it prevent a login?

For reference, i'm looking at:

User.verified (source):

Whether or not the User’s email has been verified.

Registration.verified (source):

This value indicates if this User’s registration has been verified.

Registration.skipRegistrationVerification (source):

Indicates to FusionAuth that it should skip registration verification even if it is enabled for the Application.

Registration.skipVerification (source):

Whether or not email verification should be skipped or not. In some cases, you might want to verify User’s emails and in other cases you won’t. This flag controls that behavior.

I am trying to integrate the Azure AD integration. I followwed the guide that is mentioned here - https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad

I can see "Login with Azure" button on login page. When I do click that:

1. I redirect to the Azure login page.
2. I enter my credentials.
3. I redirect back automatically to FusionAuth page (at "/oauth2/callback") with query strings - code, state and session_state. State query string is having following encoded values:

- client_id=<Some Guid>&
- code_challenge=tNh57rNR_z11CoKMGrHyWJiJns2DGCQwcIqAwGelDdE&
- code_challenge_method=S256&
- metaData.device.name=Windows Chrome&
- metaData.device.type=BROWSER&
- nonce=VXZ1NkhYcEczZ0hUWllFc3NQeE44Ql9CZWtmekN4S05CN2VGSlN4aEYxLXF-&
- redirect_uri=<application url>&
- response_mode=&
- response_type=code&
- scope=openid profile offline_access&
- state=VXZ1NkhYcEczZ0hUWllFc3NQeE44Ql9CZWtmekN4S05CN2VGSlN4aEYxLXF-&
- tenantId=<Some GUID>&
- timezone=Asia/Calcutta&
- user_code=&
- identityProviderId=<Some Guid>

I get this error redirection (to "/oauth2/callback") page:

{
  "error" : "invalid_request",
  "error_description" : "The request is missing a required parameter: redirect_uri",
  "error_reason" : "missing_redirect_uri"
}

Please assist.

The following API links appear to be broken on this page: https://fusionauth.io/docs/v1/tech/tutorials/identity-providers/

• Identity Providers
• Lookup
• Reconcile

Doc page:
https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad

I believe we have a customer that has gotten Azure AD 2.0 configured using OpenID Connect. We can attempt to recreate the configuration and then ensure our documentation is up to date.

See FusionAuth/fusionauth-issues#153 (comment)

Problem

In the admin UI you can action a user with an email template that is not designed to send directly - and instead is only meant to be sent through the Change Password workflow.

When you configure an action with the Change Password template, it fails silently because it cannot be rendered without a changePasswordId.

Solution

FusionAuth could render this template as part of validation, or synchronously render it to ensure it will be able to be sent so we can provide a meaningful error in the UI. Perhaps as simple as, The requested email template failed to render properly, see the Event Log.

Original title

Replacement variables configured in email templates throw an Exception

Original Issue

Hello,

I am having an issue with the replacement variables changePasswordId and verificatoinId for email templates.

I tried to follow the instructions described here: https://fusionauth.io/docs/v1/tech/email-templates/email-templates

My fusionauth DB is compatible with version 1.7.1 and my server is running on FusionAuth™ version 1.7.2

When I try to send an e-mail through an User Action that is configured to use an e-mail template, I have the following error:

fusionauth_1  | Aug 27, 2019 2:06:34.637 PM ERROR io.fusionauth.api.util.EmailTools - An [Error] EventLog with Id [16] was created.
fusionauth_1  | {
fusionauth_1  |   "id" : 16,
fusionauth_1  |   "insertInstant" : 1566914794630,
fusionauth_1  |   "message" : "Email send failure. See reasons below.\n\nRender Errors\n---------------\nhtml : freemarker.core.InvalidReferenceEx
ception: The following has evaluated to null or missing:\n==> changePasswordId  [in nameless template at line 14, column 58]\n\n----\nTip: If the
failing expression is known to legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDe
fault, or use [#if myOptionalVar??]when-present[#else]when-missing[/#if]. (These only cover the last step of the expression; to cover the whole ex
pression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??\n----\n\n----\nFTL stack trace (\"~\" means nesting-related):\n\t-
 Failed at: ${changePasswordId}  [in nameless template at line 14, column 56]\n----\n\n",
fusionauth_1  |   "type" : "Error"
fusionauth_1  | }
fusionauth_1  | Aug 27, 2019 2:22:59.170 PM ERROR io.fusionauth.api.util.EmailTools - An [Error] EventLog with Id [17] was created.
fusionauth_1  | {
fusionauth_1  |   "id" : 17,
fusionauth_1  |   "insertInstant" : 1566915779164,
fusionauth_1  |   "message" : "Email send failure. See reasons below.\n\nRender Errors\n---------------\nhtml : freemarker.core.InvalidReferenceEx
ception: The following has evaluated to null or missing:\n==> verificationId  [in nameless template at line 14, column 58]\n\n----\nTip: If the fa
iling expression is known to legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefa
ult, or use [#if myOptionalVar??]when-present[#else]when-missing[/#if]. (These only cover the last step of the expression; to cover the whole expr
ession, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??\n----\n\n----\nFTL stack trace (\"~\" means nesting-related):\n\t- F
ailed at: ${verificationId}  [in nameless template at line 14, column 56]\n----\n\n",
fusionauth_1  |   "type" : "Error"
fusionauth_1  | }

This is my e-mail template:

<style>
  body {
    font-family: "arial", Sans-Serif;
  }
</style>


<p>
Dear user,
</p>


Click on the following link to reset your password.
<p><a href="https://mydomain.com/password/change/${changePasswordId}">https://mydomain.com/password/change/${changePasswordId}</a></p>


After you have reset the password, please sign in to :
  <p><a href="https://myapp.com">https://myapp.com</a></p>

<p>
If you have any questions, please reply to this mail.
</p>
<p>
Kind regards,
</p>
<p>
Support Team

</p>

When I sent an e-mail though an User Action with templates without the replacement variable changePassowrdId, it works. I successfully receive the message.

Maybe I forgot to configure something?

Best regards,
Bruno.

Description

Make docker install clearer that if using prod mode how to manage schema updates. Currently it just says you'll need to manage it.

We could point them at the advanced install guide where it describes how to manage the schema and were to download the schema.

There are several rendering issues when using Microsoft Edge.

Tested with Windows 10 (10.0.17763.134), Edge version 44.17763.1.0

1. Tab layout
2. Scroll bars on the install commands
3. Scroll bars in the documentation nav
4. Scroll bars in the documentation FastPath

See attachments

Opened from comments to #129

    <style>
      /* Mobile layout overflow, we could move this into fusionauth-style */
      a, code {
        word-break: break-all;
      }
    </style>

This causes weird breakage on the desktop site. See screenshot where the link 'identity provider' splits in the middle of a word:

Should move this style to fusionauth-style and have it only apply on mobile devices.

Missing

• deviceCodeTimeToLiveInSeconds
• deviceUserCodeIdGenerator
• Add since flags

Others? Not sure, do a quick audit.

https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate says:

Once a lambda is created, you must assign it to an Application or Tenant. See the JWT tab in the Application and Tenant configuration.

But i don't see any lambda assignment option in the Tenant configuration; only in the Application configuration

v1.15.8

Hello,

I need to integrate nyc.id for my application using FusionAuth as the service provider. nyc.id needs the meta data of the service provider. I do not see any option in FusionAuth to download that.
Please guide on how nyc.id SAML IDP can be integrated through FusionAuth

Applications related API endpoints documentation misses application.passwordlessConfiguration.* description.

As of now, there is no information on the website which explains User Actions on a conceptual level. There is only a set of API's (see below) which are insufficient in explaining the usage of this feature/features.

Current pages:

• Actioning Users API
• User Actions API
• User Action Reasons API

Looks like many of the examples on this page are missing: https://fusionauth.io/docs/v1/tech/oauth/overview

I was trying to click on the 'Example Implicit Grant' which goes here https://fusionauth.io/docs/v1/tech/oauth/overview#example-resource-owner-password-credentials-grant which seems to be missing completely on that page. No real implicit grant examples.

From my personal expierence and questions from team mates I would consider that there might be more people interested in a FAQ section on the FusionAuth website. There are so many good blog articles, like https://fusionauth.io/blog/2019/03/06/keycloak-fusionauth-comparison ... it might be worth extracting some facts answering common questions like why is FusionAuth is not open-source, what are the advantages / disadvantages, link to support plans etc.

https://fusionauth.io/docs/v1/tech/apis/identity-providers/overview

Missing link to SAML v2

The release notes toc is a bit different then the other sub menu navs.

Here is how I think the liquid template should be built

<li {% if page.url == "/docs/v1/tech/release-notes.html" %}class="open"{% endif %}>
  <a href="#" class="sub-menu"><i class="fal fa-fw fa-list-ol"></i> Release Notes <i class="fal fa-chevron-{% if page.url == "/docs/v1/tech/release-notes.html" %}up{% else %}down{% endif %} fa-fw"></i></a>
  {% if page.showreleasetoc == 1 %}
  <div id="releasenotestoc">
    {{ page.document | tocify_asciidoc }}
  </div>
  {% endif %}
</li>

This would work if we can control the HTML that is produced by the tocify_asciidoc- not sure where or how that is built.

I wonder if there is a better way to build this, the nav gets crazy tall when we expand this, and it is only going to get worse.
We could make a select box on the release notes page and on select it scrolls to the correct version. We could do that entirely in JavaScript if we want.

This issue is relate to this page in the 14.2 Response section (table 48). If the request has a correct API Key, loginId and is not using changePasswordId it is unclear that the cause of a 404 is because the currentPassword is incorrect.

The search results from the docs pages ( https://fusionauth.io/docs/v1/tech/ ) should be navigable without using the mouse.

We have Zendesk login enabled in our production, we can easily build out an example tutorial.

Add a Zendesk section here: https://fusionauth.io/docs/v1/tech/samlv2/

Although the humor of a "super secure" reverse password hashing class is great, reality oftentimes is that people blindly copy code. I would suggest to include a serious password hashing/encryption example instead and not make "super secure" but actually very insecure examples. Thanks!

Page to update is
https://fusionauth.io/docs/v1/tech/plugins/password-encryptors

Hello,
I've a docker with fusionauth. I've created a theme but I cannot see where associate it to application. Can you help me?

In the docs on the return result for fetching all lambdas (here: https://fusionauth.io/docs/v1/tech/apis/lambdas#retrieve-a-lambda), the docs show an array of objects which have an additional nested lambda object. I was happy to see is NOT the case, as shown by the result of the api call below. This is a much better-shaped response, but the api docs should be updated.

{ lambdas: [
  {
    body: '// Using the user and registration parameters add additional values to the jwt object.\r\n' +
      'function populate(jwt, user, registration) {\r\n' +
      "  //  When writing a lambda we've added a few helpers to make life easier.\r\n" +
      "  //  console.info('Hello World');         # This will create an EventLog of type Information\r\n" +
      "  //  console.error('Not good.');          # This will create an EventLog of type Error\r\n" +
      "  //  console.debug('Step 42 completed.'); # This will create an EventLog of type Debug\r\n" +
      '  //  \r\n' +
      '  //  To dump an entire object to the EventLog you can use JSON.stringify, for example: \r\n' +
      '  //  console.info(JSON.stringify(user)); \r\n' +
      '\r\n' +
      '  // Happy coding! Populate your JWT here.\r\n' +
      '  \r\n' +
      "  jwt.name = user.firstName + ' ' + user.lastName;\r\n" +
      '}\r\n',
    debug: false,
    enabled: true,
    id: '90e4f6ff-8377-42f7-b1b0-7efed409d851',
    insertInstant: 1583358212988,
    name: 'jwt-populate',
    type: 'JWTPopulate'
  }
] }

Just like we have for images, it'd be nice to have an include to ensure all our code blocks were consistent, had a caption, had an associated language.

This seems like a useful starting point: https://hblok.net/blog/posts/2016/10/23/jekyll-include-partial-snippets-of-code/

In two places, things are cut off. See attached screenshots.

This is using Firefox on desktop, with the mobile view devtool setting.

Also tested on chrome and firefox on a real android phone and saw similar issues.

It seems that the documentation for /api/tenants is not reflecting some of recent changes.
Missing elements are (there might be more):

tenant.externalIdentifierConfiguration.changePasswordIdGenerator
tenant.externalIdentifierConfiguration.emailVerificationIdGenerator
tenant.externalIdentifierConfiguration.passwordlessLoginGenerator
tenant.externalIdentifierConfiguration.registrationVerificationIdGenerator
tenant.externalIdentifierConfiguration.setupPasswordIdGenerator
tenant.issuer
tenant.jwtConfiguration

I understand those elements have been moved from "System configuration" to the tenant level.
In the meantime, the API error messages are helpful enough to be able to work with tenants via the API.

Edit: This is for version 1.9.2

Our YouTube videos don't size real well for mobile. This may be only in docs, note sure.

For example, the HYPR video added under #203 is one example.

Local URL: https://site-local.fusionauth.io/docs/v1/tech/identity-providers/hypr
Public URL: https://fusionauth.io/docs/v1/tech/identity-providers/hypr

We will likely need to add some style to fusionauth-style to handle these better.

On the page https://fusionauth.io/docs/v1/tech/apis/groups
the request body should refer to "group.name" instead of "gropup.name"

According to the documentation https://fusionauth.io/docs/v1/tech/apis/jwt#refresh-a-jwt it should be possible to refresh a (valid) refresh token with the help of:

curl --request POST \
  --url http://localhost:9011/api/jwt/refresh \
  --header 'authorization: -mz.....oc_x0pBniIn-eaXJsF-w....U' \
  --header 'content-type: application/json' \
  --data '{
	"refresehToken": "Zg.....OC-Jf9......................vIQ"
}'

... but a HTTP Status 404 (not found) is returned.

NOTE: I tried with and without Authorization Header (ApplicationID should not be required if I interpret the documentation properly).

Create as many API keys are you like...

Create as many API keys as you like...

This API section should document the login API, similar to the rest of the types that have a Complete the Facebook Login Request section.
https://fusionauth.io/docs/v1/tech/apis/identity-providers/external-jwt

This should more/less be the same as the JWT Reconcile doc.
https://fusionauth.io/docs/v1/tech/apis/jwt#reconcile-a-jwt

WE could review this and decide if we want to fully deprecate the JWT Reconcile API since it just calls through to the IdP Login API. This API was a legacy API prior to IdPs.

On the openid connect config the doc shows the client secret parm as required. It is optional.

In the 8. Update a User Consent API docs, POST is listed as one of HTTP methods available for user consents alteration. Based on the expirience with the API, I believe that PUT should be mentioned instead of POST in this place.

https://fusionauth.io/blog/2018/10/24/easy-integration-of-fusionauth-and-spring
https://github.com/FusionAuth/fusionauth-spring-security-example

I deploy the example and it works well. According to my company software situation,
based on the example, I changed the Spring Boot version to 1.5.x and the 401 error happened.

Please give me some advice！

Links inside "Tenants & Apps" are broken.

To automatically handle this in the future, I suggest using a Link Checker service, which will periodically scan your site for broken links. (some services may also provide SEO suggestions, etc.)

I tested with Chrome and Firefox on android, but it also shows up if you decrease a desktop browser to a mobile form factor.

Replication steps.

• go to https://fusionauth.io/ in a mobile browser
• click on the hamburger menu in the upper right corner

Expected:

• shown menu

Reality:

• goes to page with no text or links, see attached.
  

"Table 4. Request Body" in application creation API documentation does not contain details on application.roles[x].isSuperRole field.

i would have appreciated some more guidance configuring a SAML v2 Identity Provider for Azure AD (not ADFS). Here's what i've done so far, to check my assumptions, and in case anyone else is trying to do the same:

Ref: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

• installed FusionAuth (1.15.2) and made it available over DNS (i used ngrok to connect localhost:9011 to a reserved subdomain, for the time being)
• configured an Azure Enterprise ("non-gallery") application with SSO support via SAML v2. The "Single sign-on" page looks something like this:
  1. Basic SAML Configuration
     • Identifier (Entity ID): used FusionAuth issuer (see below)
     • Reply URL: used FusionAuth SAML callback/ACS URL (see below)
  2. User Attributes & Claims
     • not sure yet how to best configure assigning user.email and user.principalname to SAML claim names
  3. SAML Signing Certificate
     • downloaded base64 key, added it in FusionAuth Key Master
  4. Set up {appname}
     • noted Login URL
  5. Test single sign-on with {appname}
     • this lands me at /samlv2/acs with an error looking like:

       {
         "error" : "invalid_request",
         "error_description" : "The request is missing a required parameter: redirect_uri",
         "error_reason" : "missing_redirect_uri"
       }

       That looks like an OAuth error, so i'm assuming this means the Azure test doesn't follow up with an adequate OAuth flow?
• configured a FusionAuth Identity provider of SAML v2 type
  • IdP endpoint: used Enterprise app Login URL (from step iv. above)
  • Verification key: used key created in FusionAuth Key Manager from step iv. above)
  • noted ACS and Issuer for Enterprise app config (for step i. above)

i do have this working for the FusionAuth app (it creates the user, but auto-registration isn't supported) - after i create the registration manually, i can see that it works.

Is SAML v2 Logout URL supported in FusionAuth's SAML configuration?

How should i handle mapping user attibutes and claims? What claims are FusionAuth expecting?

Am i on track with my assumptions about the response to the Enterprise App SSO test's response?

Hi,
if I use the API to login (POST /api/login, with or without applicationId) I get with the registrations for all applications the user is registerded to. For security reason I want

1. applicationId mandatory for request or without this Id no registrations are send
2. in the response object only the information belonging to this application

An application should not be interested neither if the user is registerd for other applications nor what roles he has in these foreign applications. For us this is a mandatory security feature.

Is there a possibility to configure fusionAuth so this behavior can achieved?

knut

Consent API endpoints documentation lacks the description of User Consent retrival. I have found out that I can retrieve such information with requests such as

GET /api/user/consent/{userConsentId}

or with more useful request such as

GET /api/user/consent/?userId={userId}

Since the behaviour is not documented, one cannot be sure if the API will not be a subject to rapid changes. Also, based only on the documentation, there is no way to retrieve user consent data at all.

/docs/v1/tech/installation-guide/server-layout
https://fusionauth.io/docs/v1/tech/installation-guide/server-layout
we could use plant UML, or just some hand build graphics, etc? I want to it look nice, and ideally easy to adjust.

https://fusionauth.io/docs/v1/tech/identity-providers/google

Before the Create a Google Identity Provider section, we need to instruct the user to whitelist their domain.

Creating a localization for email templates does not work when using none latin based languages such as chinese, japanese and korean.

These characters after saving turns into "?" in the database. The database field collation unicode is correct though.

The step to reproduce:

1. create localization
2. save the localization
3. save the email template
4. open it up again, all unicode characters becomes ?

https://fusionauth.io/docs/v1/tech/reactor

The docs for creating a theme (https://fusionauth.io/docs/v1/tech/apis/themes#create-a-theme) don't include details for the response body like all the other api docs.

There is high level "Sign in with Apple" doc here: https://fusionauth.io/docs/v1/tech/identity-providers/apple

But no corresponding API level documentation page here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/

Unsure if that is intentional.

Retrieve Refresh Tokens API call documentation misses the description of refreshTokens[x].startInstant and refreshTokens[x].metaData.scopes response entity attributes.

i'm not sure whether there is a problem with the documentation per se, but i am surprised at some behavior of FusionAuth based on my comprehension of the documentation, and i'd like to validate my understanding of expected behavior.

First, i'm wanting an ID token with the applicationId as a claim, beginning with an unauthenticated user who will be providing their username and password. Assume the tenantId and applicationId are known. It appears that i cannot get such a JWT at POST /api/login (with tenantId set in a header) since that initial request with username/password in the body call will not be authenticated. However, with the ID token in the login response, i can make an authenticated GET /api/jwt/issue?applicationId={applicationId} to get one.

Is that the simplest route possible (two requests)?

Second, regarding an ID token populate lambda, i have not been able to see the claims transformed in the following cases (having selected the lambda at both the tenant and the application level):

• in the token returned by GET /api/login with the tenant header set
• in the token returned by POST /api/jwt/issue with the applicationId query param set, regardless of whether "JWT" toggle is enabled at the application level.

Default tenant, and default application, initially, but then i created a new application in that tenant and had the same behavior.

In what case(s) should i see the ID token claims be transformed by a lambda? Where should i find console logs? i'm not seeing them in the container stdout for any level (error/info/debug). [EDIT]: i did find a log for a lambda invocation at /admin/system/event-log/

Here is the lambda, as a sanity check:

function populate(jwt, user, registration) {
  jwt.foo = "bar";
}

FusionAuth 1.15.4

Should do the following:

• review and update all the comparisons with other tools
• add some more comparisons to azure ad b2c, ory, supertokens/clerk
• move them to pages

Original body

Per this tweet: https://twitter.com/GluuFederation/status/1256311162859253760

should review the Gluu comparison blog post: https://fusionauth.io/blog/2019/07/16/gluu-fusionauth-compare-identity-management-solutions

Please add LDAP as an identity provider.

So far the I like the look and feel but can’t use it. I would like to deploy this into customers’ sites, but they don’t run ADFS, they have AD or LDAP.