Topics created by joshua

Ensure that the source machine that is building your image is the correct architecture type.

https://www.reddit.com/r/kubernetes/comments/13lurdl/kubernetes_error_exec_usrlocalbinyarn_exec_format/?rdt=39252

For instance, if you are building a K8's cluster running linux (x86) but have built the image locally on a Apple M2 Mac (ARM based), then you will need to instruct docker to use the build x command to build a multi-platform build or change the source build machine.

One recommendation is to use the User Search API to gather all users for a specific Application

For example,

curl --request POST \ --url https://local.fusionauth.io/api/user/search \ --header 'Authorization: <YOUR_API_KEY>' \ --header 'Content-Type: application/json' \ --data '{ "search": { "numberOfResults": 50, "query": "{\"bool\":{\"must\":[{\"nested\":{\"path\":\"registrations\",\"query\":{\"bool\":{\"must\":[{\"match\":{\"registrations.applicationId\":\"<YOUR_APPLICATION_UUID>\"}}]}}}}]}}", "startRow": 0 } }'

Returns all the users that belong to a applciation Id using the query parameter. More information can be found in our documentation below.

https://fusionauth.io/docs/v1/tech/apis/users/#elasticsearch-search-engine

Accessing the Admin UI > Users > Search Box > Advanced > Show ElasticSearch Query Can also reveal prebuilt queries that you can run against users via API (move the toggles to observe how the query will change over time).

Yes, you can search for users who are set to

"active" : false

just like any other user

The user can be retrieved but will have a status of {"user" : { "active" : false } }
The user cannot be updated but will instead have this error return

{ "fieldErrors": { "userId": [ { "code": "[inactive]userId", "message": "The User with Id [00000000-0000-0000-0000-000000000007] is inactive and cannot be updated until it is reactivated." } ] } }

Yes, this is the functional equivalent in the UI.

Soft delete is the preferred method.

And here's the announcement blog post: https://fusionauth.io/blog/2021/08/18/announcing-fusionauth-1.30/

And here's the blog post: https://fusionauth.io/blog/2021/07/23/announcing-fusionauth-1-29/

This error is related to FusionAuth not being able to communicate to nodes over TLS in a multinode environment.

Two things you will want to check-

If you are using self-signed certs (TLS)

You will need to add any self-signed certificates to your Java Truststore.

If you are using a signed cert from a certificate authority

Make sure you have properly integrated that cert into your TLS

Lastly, If you are on a secure private backplane, you can simply communicate over non-TLS (HTTP).

Once FusionAuth can establish a connection, then the caching issues should remedy themselves. In a multi-node environment, the first node is kickstarted with its own cache and then attempts to inform all other nodes to refresh their cache. If this "master node" cannot communicate (in this case due to not have the right security cert), then you will see errors such as above.

Thanks,
Josh

Can we do something like this through the UI interface too?

This is not currently possible. Creating the User, and creating a User Registration are two separate steps. As you correctly stated, when creating the user in the UI, there is no context yet for an application. For this reason, the user will receive the template configured at the tenant level.

Or is this only possible through the API?

Correct. You must use the Create "User + Registration" API to do this in one step to use the application template for setup password.

If I register a user with both applications (through the API) which email do they get?

When using the API to Create "User + Registration" you can only register for one application at a time. The email is only sent during the User Create step, so if you register for a second application, the user will already exist and thus will not receive a second email.

A reminder that we have a second meet-up scheduled for today!

If you need to preserve passwords, and you have access to the database:

You could manually read from the db and then import users using the import API. https://fusionauth.io/docs/v1/tech/apis/users/#import-users You can use pg_dump or mysqldump respectively if you want to move the entire system from one server to another, users and all. The target system has to be at the same or greater version than the source. If the target is at a greater version than the source, you will enter maintenance mode on startup to migrate the schema.

If you do not need to preserve passwords, then you could use the User Search API and the User Import API together.

And the announcement blog post: https://fusionauth.io/blog/2021/06/09/announcing-fusionauth-1-28/

Ideally, you would be using the Oauth2 login and logout endpoints which would also give you SSO, and a lot of other features such as forgot password, passwordless, two-factor login, account lockout, federated logins, etc.

If you have a technical reason not to use OAuth - the Login API is available. Using the Login API means you will be coding all of the end-user workflows described above such as two-factor, forgot password, etc yourself.

Our Five Minute Guide Covers one of the most common OAuth Grants and workflows available.
https://fusionauth.io/docs/v1/tech/5-minute-setup-guide/#undefined

No. Neither. But it will revoke the SSO token.

https://fusionauth.io/docs/v1/tech/guides/single-sign-on#request-flow-diagrams

@twilkinson,

Hello again!

Yes, this is how I read that as well from the documentation. You could also test that logout is enforcing the behavior that you are seeking by using the browser console to check for cookies. Or if not storing the token in cookies, checking the relevant location and/or behavior to ensure that the user's refresh/access tokens are properly removed/invalidated.

Based on the documentation, you should provide the refreshToken in the request to invalidate, as seen below:

6805586d-d207-4358-b4a1-97b62b5e0453-image.png

Thanks,
Josh

 

Related Links

https://fusionauth.io/community/forum/topic/270/logout-questions/5

If managing your own session (not OAuth)

Documentation Link

If you are not using the FusionAuth SSO, then you will manage the user session and state in your application.

Within this self-managed context, the Logout API /api/logout is only useful if you are using the Login API within the context of a browser. In this case, the Logout API will return a response HTTP header to tell the browser to delete the cookies written by the Login API.

In other words, depending on your configuration/setup/specifics, there may be more work to do within your self-managed SSO to completely log the user out.

If not managing your own session (one example would be to follow OAuth)

Documentation Link

If you are following OAuth, then you will hit the endpoint provided in the above doc link (currently /oauth2/logout).

This logout endpoint provides a mechanism to invalidate the user’s session held by FusionAuth, this effectively logs the user out of FusionAuth.

The FusionAuth SSO enabled through an OAuth2 code grant handles the user session validation.

-However-

The Login API (/api/login) does not use FusionAuth SSO. In this scenario, the user session is managed in your own application (more customization possible, but likely more code work).

To clarify my current MFA delivery setup (v1.25), I have it configured with "delivery": "None" and this enables the Authenticator and backup codes via the Twilio integration.

Will this keep working? Or do I have to update each user and enable the "sms" method? Is it even possible to enable the "sms" method without having a code that was sent to the mobilePhone of the user?