An update! The client credentials grant is now available in paid editions of FusionAuth.

Here is the documentation:

https://fusionauth.io/docs/v1/tech/oauth/#configure-entities

https://fusionauth.io/docs/v1/tech/oauth/#example-client-credentials-grant

Did you ever find a solution @developer ?

For the first issue, did you turn off client authentication in the FusionAuth application OAuth tab?

And now it works fine with 152 threads connected, so unable to reproduce this.

I'll keep an eye out for this behavior and file an issue if it pops up again.

For the record:

FusionAuth 1.27
installed via zip file
Mysql 8.0.23 installed/managed via homebrew on the mac.

We were working on getting it documented and it shipped yesterday. Sorry for the delay!

https://fusionauth.io/docs/v1/tech/apis/entity-management/ outlines all the relevant APIs, including entity CRUD.

You might also be interested in the client credentials grant, one of the main use cases:

configuring entities for the client credentials grant: https://fusionauth.io/docs/v1/tech/oauth/#configure-entities an example client credentials grant: https://fusionauth.io/docs/v1/tech/oauth/#example-client-credentials-grant

@Moonshine,

Glad you found it in our UI!

Thanks,
Josh

No, it is more like terminating an EC2 instance. All data is lost.

If you have user data you'd like to retain, please request a database dump before destroying your deployment.

Posting here in addition to GitHub: The issue for me was that the signing key didn't have the right Apple-provided key identifier, which goes in the kid field of the client_secret JWT header. Recreating the private key with that identifier fixed the issue.

A couple of options:

You could optionally configure a different template for each tenant so you could hard code the correct URL in each template.

You could also add the correct URL to the tenant.data and then pull it out in the template during render so you could use the same template across tenants.

If the state parameter is working well for you for other APIs, you could open a feature request in GH to add this to the API in question.

You're getting an error during Tomcat startup while trying to bind 9011. FusionAuth will bind 9011 by default, so if you have anything else listening on that port startup will fail.

You can shut down anything else using that port, or change the default port FusionAuth is using so that you don't conflict with other valid services on the system.

See the config reference for changing the ports. ( FUSIONAUTH_APP_HTTP_PORT )
https://fusionauth.io/docs/v1/tech/reference/configuration/

❗ Move slowly - make sure to fully decouple production and dev instances. Some pointers or guideposts--

Assuming you're running on your own infrastructure.

Clone the production FusionAuth DB Point a new dev installation to it Caveats: If you have webhooks enabled that may start making requests out to prod infrastructure from a new “dev” instance. If you do have webhooks, you could start it up air-gapped and then disable everything that could contact an external system before you enable outbound traffic. As long as the dev instances are the same version or greater it should work. You wouldn’t be able to attach the db to an instance running an older version than the schema.

@vignesh,

There are a lot of potential issues that could be at play. Any additional information about your configuration/error logs might be helpful. Also, have you reviewed our documentation here regarding passwordless?

Also, as a quick take, you could install something like Mailcatcher to further check to see if the mails are even being sent.

Thanks,
Josh

Referencing/linking updated conversation here:
https://fusionauth.io/community/forum/topic/973/fusion-auth-upgrade-failing-user-registration?_=1619623366378

Hi @erikh!

Welcome to the FusionAuth Community!

I might need more details, as I have only a functional familiarity with Docker and container orchestration. As I understand it, NTP is a service that can be added to your container. But like I said, I might need more context to fully understand your issue. A quick look through the Dockerfile and docker-compose does not show any timeserver options being enabled.

Any other details about what you have tried, potential pitfalls that you are seeing, or errors may be useful.

I am also posting here (perhaps perfunctorily), the available documentation on FusionAuth for docker installation:
https://fusionauth.io/docs/v1/tech/installation-guide/docker/

The repo supporting FusionAuth containers is here:
https://github.com/FusionAuth/fusionauth-containers

The docker files are here as well:
https://github.com/FusionAuth/fusionauth-containers/blob/master/docker/fusionauth/

Thanks and let us know. Happy to assist you in resolution as able.

Thanks!
Josh

Hi @mayank!

Apologies that you are having difficulty with this upgrade!

Do you have any more details on the types of errors you are receiving? Any errors logged to the event log or system log would be helpful in troubleshooting this as well. Can you provide the full endpoint that you are attempting to hit? Any other details about your setup would be helpful in diagnosing.

Thanks for the input and look forward to hearing more soon.

Thanks,
Josh

Hi @vaibhav!

Yes, this should be possible. The short answer is that you will want to review our documentation found below:

https://fusionauth.io/docs/v1/tech/themes/
https://fusionauth.io/docs/v1/tech/guides/passwordless/

Another user, borograd, had a related post here as well:
https://fusionauth.io/community/forum/topic/899/any-simple-was-of-doing-apple-google-only-login/3?_=1619622757240

I hope this helps!

Thanks,
Josh

You can use the user.create or the user.registration.create webhook to do something like this.

If you enable these webhooks and configure the transaction to require the webhook to succeed, then you simply need to return a non-200 status code from the webhook to cause FusionAuth to fail this create.

https://fusionauth.io/docs/v1/tech/events-webhooks/#tenant-settings
https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-create
https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-registration-create

Updated the JWT populate lambda doc to make it clear that headers aren't modifiable at the present time: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/

The way to do this is to use the user.data or registration.data objects as a transfer mechanism.

If you are using OIDC (SAML is much the same, but I'll use OIDC as an example), you can create a OIDC Reconcile Lambda. It might look like this:

// Using the JWT returned from UserInfo, reconcile the User and User Registration. function reconcile(user, registration, jwt) { user.data.favoriteColor = jwt.favoriteColor; }

So the jwt in this case is that returned from the OIDC identity provider. We store the data in user.data.

Now we need to pull it off of the user.data object using a JWT populate lambda. That might look a little something like this:

// Using the user and registration parameters add additional values to the jwt object. function populate(jwt, user, registration) { jwt.favoriteColor = user.data.favoriteColor; }

favoriteColor is now available as a claim in the JWT produced by FusionAuth.

Don't forget to assign your lambdas to the correct operations. The OIDC Identity provider needs to be configured with the reconcile lambda. The application's JWT tab is the right place to configure the use of the JWT populate lambda.

More information on all the lambda options available here: https://fusionauth.io/docs/v1/tech/lambdas/