Create user with FusionAuth Admin Interface from Kickstartfile

akoskm

Hi!

Is it possible to create an admin account with FusionAuth Admin Interface access from the Kickstart file.

Here's my kickstart file:

{
  "variables": {
    "adminEmail": "cypress@example.com",
    "user1Email": "rob@example.com",
    "password": "hello123",
    "defaultTenantId": "30663132-6464-6665-3032-326466613934"
  },
  "apiKeys": [
    {
      "key": "#{ENV.FUSION_AUTH_API_KEY}",
      "description": "Standard development API key"
    }
  ],
  "supportId": "5acfd1b6-f687-ae13-8ffd-1900200c9a77",
  "requests": [
    {
      "method": "POST",
      "url": "/api/application/#{ENV.SECRET_FUSIONAUTH_CLIENT_ID}",
      "body": {
        "application": {
          "name": "Project Secret",
          "oauthConfiguration": {
            "clientSecret": "#{ENV.SECRET_FUSIONAUTH_CLIENT_SECRET}"
          },
          "roles": ["user", "admin"]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/ace26aa5-0fe9-4672-bc5f-dfe198f4955d",
      "body": {
        "user": {
          "email": "#{adminEmail}",
          "password": "#{password}"
        },
        "registration": {
          "applicationId": "#{ENV.SECRET_FUSIONAUTH_CLIENT_ID}",
          "roles": ["user", "admin"]
        }
      }
    },
  ]
}

My understanding was that it should be enough to add the "admin" role to the user to be able to access the admin interface.

However, when I try to log in with cypress@example.com:hello123 - a user with the "admin" role - I'm getting this screen:

Thanks!

dan

@akoskm Yes, this is possible. You have to create a registration for the FusionAuth application for your user and apply a role (roles outlined here).

Here's an example kickstart that does that: https://github.com/FusionAuth/fusionauth-example-kickstart/blob/master/fusionauth/kickstart-development.json#L146

You want something like the lines 146-191.

paterik4

Hello @dan !

I tried what you show us, like this:

{
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000001",
      "body": {
        "user": {
          "firstName": "Adam",
          "lastName": "Smith",
          "email": "#{adminEmail}",
          "password": "#{password}"
        },
        "registration": {
          "applicationId": "#{ENV.FUSIONAUTH_CLIENT_ID}",
          "roles": ["admin"]
        }
      }
    },

but after this, my local FusionAuth admin panel redirects me to the setup wizard form which I can't complete because it's giving me a 500 Server error.

This tells me something is wrong with my newly added block because before I added it my FusionAuth worked fine.

I also tried to add an application registration with the same id and with the name FusionAuth, like this:

    {
      "method": "POST",
      "url": "/api/application/#{ENV.FUSIONAUTH_CLIENT_ID}",
      "body": {
        "application": {
          "name": "FusionAuth",
          "roles": ["user", "admin"]
        }
      }
    },

but this didn't solve my issue.

Thanks for your help in advance!

Best Regards,
Patrik

akoskm

Hi @dan, Patrik is my colleague who tried to make this work but had no success. Could you take a look at his post below? Thank you!

quent

@paterik4 I think you need to give the application_id instead of the client_id in the registration block

dan

@paterik4 Hiya,

Can you try eliminating some things to troubleshoot?

• Try hardcoding the application id rather than using an environment variable. In fact, try replacing all the env references with hardcoded values
• Try removing the supportId; I'm not sure what that is.

Also, if you are ending up at the setup wizard, that means that the kickstart didn't complete. Can you look at the log file output and see what error messages kickstart provides. You can also verify that the JSON is valid using a tool like jsonlint.com.

Also, what version of FusionAuth are you attempting this on?

If you can share a GH repo showing this issue, I'd like to take a look.

paterik4

@quent I thought about that, but how should I get the id of FusionAuth that was just created by kickstart?

paterik4

@dan Hello!

If I try to add an application registration as shown in the example in FusionAuth's Github repo, it gives me this error:

2022-12-13 02:42:06.813 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Failed to execute request to [POST][/api/application/00000000-0000-0000-0000-000000000001] Status [400]

Request body:

{

  "application" : {

    "name" : "FusionAuth",

    "roles" : [ "user", "admin" ]

  }

}

2022-12-13 02:42:06.813 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Error response:

{

  "fieldErrors" : {

    "application.name" : [ {

      "code" : "[duplicate]application.name",

      "message" : "An Application with name [FusionAuth] already exists."

    } ]

  },

  "generalErrors" : [ ]

}

If the kickstart creates FusionAuth for himself, how could I get its id to register users to it with an admin role?

The supportId doesn't create any error.

My kickstart file is a valid JSON file.

I am trying to use image: fusionauth/fusionauth-app:1.38.0 image of FusionAuth.

quent

This post is deleted!

quent

@paterik4 I think you can specify it in the kickstart when you create it

paterik4

@quent That would be great. Can you give me and example how can I achieve this?

paterik4

@quent @dan Thank you for your help! I get it working.

My mistakes were the following:

1. I tried to specify the Fusionauth app id.
2. I tried to create the FusionAuth app which gave me an error that it already exists.
3. I used the default (provided) FusionAuth app id wrongly.
4. I tried to register the user twice.

Here is my solution without any other registration:

If you would like to give access to an already registered user u should provide access to that user with the same URL but with the following body:

      "body": {
        "skipRegistrationVerification": true,
        "registration": {
          "applicationId": "#{FUSIONAUTH_APPLICATION_ID}",
          "roles": ["admin"]
        }
      }

If you would like to give access to a new user, then u should do it under a different URL and you have to specify the user email and password inside the body like this:

      "body": {
        "user": {
          "email": "#{adminEmail}",
          "password": "#{password}"
        },
        "registration": {
          "applicationId": "#{FUSIONAUTH_APPLICATION_ID}",
          "roles": ["admin"]
        }
      }

dan

@paterik4 Awesome, glad you got it working.

For anyone else, https://fusionauth.io/docs/v1/tech/apis/registrations documents the two different ways of creating a registration (for a new user and an existing user).

chris 0

Hi, I am fairly new to FusionAuth and have the same issue as the original poster.

The Kickstart file I created does not allow the user to login to access the admin interface.

What I attempting to do is run locally in Docker containers, so that the same set up can be used by another developer from docker compose.

Please could I have some help with the Kickstart file?

It runs, does not appear to throw any errors in the fusionauth logs, but i cannot login.

Please find enclosed the kickstart file and the docker compose snippet.

Regards
Chris

Kickstart file

{
  "variables": {
    "adminEmail": "admin@fusionauth.io",
    "password": "apassword",
    "defaultTenantId": "68e4bbcf-f44b-a066-34c1-d53bdd4e4810",
    "applicationId": "80640732-cecc-4962-9928-6937bee1090a"
  },
  "apiKeys": [
    {
      "key": "nvbt6nwmxyHQVy2F7xYCgSgLww4ssUy9csmzVAEJatS4mkp7H2vGogJI",
      "description": "Standard development API key"
    }
  ],
  "requests": [
    {
      "method": "POST",
      "url": "/api/application/80640732-cecc-4962-9928-6937bee1090a",
      "body": {
        "application": {
          "name": "LocalApp",
          "roles": [
            {
              "name": "admin"
            },
            {
              "name": "user"
            },
            {
              "name": "user-admin"
            }
          ],
          "oauthConfiguration": {
            "clientSecret": "AsCh5TTgB_JmeSr57P15M31S0nblbbak5h15ZHU7kVc",
            "clientID": "80640732-cecc-4962-9928-6937bee1090a",
            "authorizedOriginURLs": [
              "http://localhost:3000",
              "http://localhost:3016"
            ],
            "authorizedRedirectURLs": [
              "http://localhost:3000/api/v1/auth/callback"
            ],
            "enabledGrants": [
              "authorization_code",
              "password",
              "refresh_token"
            ],
            "logoutURL": "http://localhost:3000/api/v1/auth/logout",
            "generateRefreshToken": true
          }
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000001",
      "body": {
        "skipRegistrationVerification": true,
        "user": {
          "email": "john@genericcompany.com",
          "firstName": "John",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "admin"
          ]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000002",
      "body": {
        "skipRegistrationVerification": true,
        "user": {
          "email": "james@genericcompany.com",
          "firstName": "James",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "admin"
          ]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000003",
      "body": {
        "user": {
          "email": "adam@genericcompany.com",
          "firstName": "Adam",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "admin",
            "user",
            "user-admin"
          ]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000004",
      "body": {
        "user": {
          "email": "jane@genericcompany.com",
          "firstName": "Jane",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "user"
          ]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000005",
      "body": {
        "user": {
          "email": "helga@genericcompany.com",
          "firstName": "Helga",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "user"
          ]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration/00000000-0000-0000-0000-000000000006",
      "body": {
        "user": {
          "email": "Susan@genericcompany.com",
          "firstName": "Susan",
          "lastName": "Smith",
          "password": "apassword",
          "imageUrl": ""
        },
        "registration": {
          "applicationId": "80640732-cecc-4962-9928-6937bee1090a",
          "roles": [
            "user"
          ]
        }
      }
    }
  ]
}

Docker compose snippet

fusionauth:
    image: fusionauth/fusionauth-app:1.43.0
    container_name: fusionauth
    depends_on:
      authdb:
        condition: service_healthy
    environment:
      DATABASE_URL: jdbc:postgresql://authdb:5432/${POSTGRES_DB}
      DATABASE_ROOT_USERNAME: ${POSTGRES_USER}
      DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
      DATABASE_USERNAME: ${DATABASE_USERNAME}
      DATABASE_PASSWORD: ${DATABASE_PASSWORD}
      FUSIONAUTH_APP_MEMORY: ${FUSIONAUTH_APP_MEMORY}
      FUSIONAUTH_APP_RUNTIME_MODE: development
      FUSIONAUTH_APP_URL: http://localhost:9011
      SEARCH_TYPE: database
      FUSIONAUTH_APP_KICKSTART_FILE: ${FUSIONAUTH_APP_KICKSTART_FILE}
    networks:
      - localnet
    restart: unless-stopped
    ports:
      - 9011:9011
    volumes:
      - ./conf/fusionauth/config:/usr/local/fusionauth/config
      - ./conf/fusionauth/kickstart:/usr/local/fusionauth/kickstart
      - ./volumes/fusionauth/logs:/usr/local/fusionauth/logs

  authdb:
    image: postgres:12.5-alpine
    container_name: authdb
    hostname: authdb
    ports:
      - "5433:5432"
    environment:
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
      interval: 5s
      timeout: 5s
      retries: 5
    networks:
      - localnet
    restart: unless-stopped
    volumes:
      - ./volumes/authdb:/var/lib/postgresql/data