FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Group Based App Registrations?

    Scheduled Pinned Locked Moved
    General Discussion
    2
    4
    811
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradley.kite
      last edited by

      Hi,

      I'm not 100% sure how groups are meant to be used in FusionAuth.

      I've created a group, assigned it application roles, and put users in the group, but the user still needs to register for the application - is it not possible for app registrations to be inferred from the groups app roles?

      I suspect its more a case of me not understanding something.

      Thanks for any help offered.

      Regards

      Brad.

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @bradley-kite no worries!

        Yes, a user needs to be both in the group and registered for the application to have a role for that application.

        If they aren't in the group, they won't get the role, of course.

        And if they aren't registered for the application, then they won't get the role because, well, roles are always tied to an application. You can't have a role that isn't tied to an application. This is illustrated in the docs here: https://fusionauth.io/docs/v1/tech/core-concepts/groups/

        is it not possible for app registrations to be inferred from the groups app roles

        This is not currently possible. There maybe additional information that is required for an application registration that group membership wouldn't supply (like an app username, or something similar), so I'm not sure it'd ever be possible.

        When you add a user to a group, you could register them to that application via an API. Alternatively, you could file a feature request with information about this use case: https://github.com/fusionauth/fusionauth-issues/issues

        This open issue may also be of interest to you: https://github.com/FusionAuth/fusionauth-issues/issues/633

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • B
          bradley.kite
          last edited by

          Would it be possible (eg, with some kind of LAMBDA) so that when a user logs in, the LAMBDA can check what groups the user is a member of, and automatically create the app registrations for the app they are trying to access?

          The LAMBDA can then create any app-specific usernames, if required. But I'm not sure if the LAMBDA has access to group membership info?

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            That is one path that might work in the future, but you can't create arbitrary registrations, call the APIs, or know which groups someone is part of right now.

            I know the roadmap includes reworking the lambda so that it is more flexible. That's tied up in upgrading from Nashorn. If we allowed you access to any APIs from the lambda, you'd then be able to do this.

            See https://github.com/FusionAuth/fusionauth-issues/issues/571 and https://github.com/FusionAuth/fusionauth-issues/issues/267 for more on that. If you can, it'd be great to comment pointing to this forum post about wanting more flexibility in Lambdas.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post