There is no way to create API keys from the API.

You can bootstrap the system with an API key using Kickstart. Kickstart would allow you to create one or more API keys, which can optionally scoped to a tenant. More on Kickstart: https://fusionauth.io/docs/v1/tech/installation-guide/kickstart

However, this doesn't solve the issue of dynamically creating a tenant scoped API key. If that's a use case for which you need support, please file a github issue: https://github.com/fusionauth/fusionauth-issues with more detail.

You set these at the tenant level.

Home / Settings /Tenants / Edit in the admin UI.

You can also use the API or a kickstart file to set these.

An easy way to see the elastic search string for some queries is to go to the user search in the admin screen, click 'advanced' and then click 'show elastic query'.

Here's an example elastic search post: https://fusionauth.io/community/forum/topic/110/how-can-i-get-all-users-for-an-application-using-the-api

I know this isn't exactly what you asked for, but hope it helps some.

Hi @keith ,

There are some improvements FA can make to the way it works with hosted databases. Here's the github issue: https://github.com/FusionAuth/fusionauth-issues/issues/95

Can you try using the advanced installation: https://fusionauth.io/docs/v1/tech/installation-guide/fusionauth-app#advanced-installation and see if that works for you?

Yes, you want to use sourceTenantId when creating the tenant

You can keep a tenant around or use a particular one as the template, and then always create a new tenant using the sourceTenanId. This does not do a merge however, so if you want specific values, you’d want to do something like:

Call create w/ sourceTenantId Consume the response and then modify what you want Call update or patch with the new values

Hi Dan,
Thx for the response - correct, re the login form, and adding a captcha solution.

Awesome thank you so much for the help!

Per this issue https://github.com/FusionAuth/fusionauth-issues/issues/673

"This is because the services are running interactively and the logging is written to to stdout."

So when you start up your fusionauth instance using startup.bat a cmd window will open up and your logs will be written to that.

Doing so will allow FusionAuth to run even when utf8mb4 is not configured properly. We added that enforcement to ensure the limitation is understood before you turn off the enforcement.

The implication is that if you attempt to store a 4 byte unicode character the INSERT or UPDATE request will fail. The initial MySQL UTF-8 support only allowed for 3 byte characters, they then came out with utf8mb4 to support 4 byte characters.

For example, many emoji are 4 byte characters, so if you tried to store a piece of text with a smiley such as 😁 it will fail. The 😁 is a four byte character, U+1F601 or \xF0\x9F\x98\x81.

Unless you configure MySQL to use utf8mb4 any character points between U+10000 and U+10FFFF will fail to be stored.

Extracted from https://github.com/FusionAuth/fusionauth-issues/issues/234#issuecomment-632757441

Turns out that I didn't have much disk space.

Saw this in the FA search logs:

{"type": "server", "timestamp": "2020-06-10T14:34:28,378Z", "level": "WARN", "component": "o.e.c.r.a.DiskThresholdMonitor", "cluster.name": "FusionAuth", "node.name": "ubuntu-xenial", "message": "flood stage disk watermark [95%] exceeded on [NE_DhFssRru-H5oIiLwBjA][ubuntu-xenial][/usr/local/fusionauth/data/search/esv6/nodes/0] free: 887.9mb[4.4%], all indices on this node will be marked read-only", "cluster.uuid": "LGdaij30RrS4FZbgsT_6KA", "node.id": "NE_DhFssRru-H5oIiLwBjA" }

Deleting some things from my hard drive lowered my disk usage below 95% and I no longer saw the message.

@megeshg said in Authorize device without using /oauth2/device redirect:

we are not call /oauth/device would we need to? when in the flow would we need to do this? Dont see this in the documentation?

Hmmm. I think I must have been mistaken when I suggested that. I can't track down where I came up with that. My apologies.

I'm glad you found a solution.

The way most of our clients handle this is by using proxy redirect rules. For example, if your service is available at https://auth.example.com then you would redirect https://auth.example.com/ to https://example.com to push the user back into the "user" space of your site. This would mean that if you have a FusionAuth admin, they would need to directly access the UI by navigating to https://auth.example.com/admin/.

If you're already using a load balancer or a similar technology that provides routing rules, these are easy to configure.

You can also use managed IP locking (limiting access to a certain set of IP addresses), or some other type of HTTP header on the request to limit access to the FusionAuth admin UI to authorized users and treat all other traffic to anything under /admin for end users as an invalid request. These types of solutions are best handled at the network layer or with a proxy.

I totally forgot to add the register the user manually to the FusionAuth application. It is working now, thank you!

Looks like you added an issue: https://github.com/FusionAuth/fusionauth-issues/issues/668

Thanks!

@dan Thanks so much for the followup! For now, I'll work around the issue with a read/merge/write on the client.

If you are using https://aws.amazon.com/elasticsearch-service/ for your Elasticsearch server, you can access it via AWS APIs and use IAM to control access: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html

However, FusionAuth doesn't currently support the AWS signature for Elasticsearch requests.

The recommended way of securing such clusters is to place it in a private subnet and restricting traffic to it using a security group. More information: https://fusionauth.io/docs/v1/tech/installation-guide/securing#fusionauth-search

If you have to make it public to make it accessible to resources outside if AWS you could use a source IP lock, a VPN, basic auth if AWS supports it, or you could proxy the request perhaps to another endpoint that can build the AWS sig v4 header.

The client libraries all consume the same REST API, so you can use that as a reference: https://fusionauth.io/docs/v1/tech/apis/

In order to use a custom font within a publicly accessible FusionAuth template for a hosted deployment, pull the font from a CDN or other server hosting the font.

FusionAuth doesn't have any persistent storage for custom theme assets. You can use any font you like as long as it can be included via a tag.

You can double check the client id and secret are correct and don't have any trailing white space when entered in the FusionAuth config.

The scope you have configured does not show up in the discovery document but I would assume you'd receive a different error I'd that was a problem.

Confirm you registered the correct redirect_uri (something like http://localhost:9011/oauth2/callback) in your Intuit account.

Their APIs don't seem to be working well with the client_secret_basic authentication method.

Their discovery document indicates they support both client_secret_post and client_secret_basic.

"token_endpoint_auth_methods_supported":[ "client_secret_post", "client_secret_basic" ]

The default OpenID Connect config in FusionAuth will use client_secret_basic.

I found a thread indicating others are also having problems with the Basic Authorization strategy.
https://help.developer.intuit.com/s/question/0D50f000050TBnCCAW/getting-the-errorinvalidclient-for-access-tokens

Switching the configuration to use client_secret_post seems to have allowed an authentication request.

Here's a doc about how to switch search engines: https://fusionauth.io/docs/v1/tech/tutorials/switch-search-engines