@craiglistt What particular issues are you having?

@anand-murugan-0 I run FusionAuth in ECS/Fargate. I don't know about the clustering side, but to make standing up a FusionAuth instance automated I needed to do 2 things:

enable Silent Mode https://fusionauth.io/docs/v1/tech/guides/silent-mode which skips the first boot / migration page. This required passing in database credentials as env vars, so that Fusionauth doesn't need to ask you for them.

Use a kickstart.json to configure an API key https://fusionauth.io/docs/v1/tech/installation-guide/kickstart#using-environment-variables

Adding a kickstart.json file to a docker image in ECS is a bit non-trivial (either with EFS or S3). So I made my own Dockerfile:

FROM fusionauth/fusionauth-app:1.38.1 ARG FUSIONAUTH_APP_KICKSTART_VALUE ENV FUSIONAUTH_APP_KICKSTART_FILE=/tmp/kickstart.json RUN echo ${FUSIONAUTH_APP_KICKSTART_VALUE} > ${FUSIONAUTH_APP_KICKSTART_FILE}

When running docker build, if you pass in an argument like

docker build \ --build-arg FUSIONAUTH_APP_KICKSTART_VALUE="{\"apiKeys\": [{\"key\": \"42\" } ] }" \ .

will build and write out a /tmp/kickstart.json file and tell Fusionauth to look at that path when it starts up. NOTE: any random value would work, I picked 42 for simplicity, don't use this in Production.

With those 2 things, ECS will start a Fusionauth instance that doesn't prompt for initial installation (assuming you pass in db credentials as environment variable) and will

Hi Guys,
Your reply helped me as well. Thank you. I'm still struggling with the issue of rewriting /admin when using subpath.
When I click login icon I'm redirected with 302 to $host/admin not $host/fa/admin
This happened after I updated my FA.

location /fa/ { proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'href="/admin/' 'href="/fa/admin/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; proxy_pass http://localhost:9011/; } location ~^/(?<fusionPath>(oauth2|admin|ajax|login|password|js/identityProvider))/ { proxy_pass http://127.0.0.1:9011/$fusionPath/; # https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup#how-to-use-a-proxy proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter 'action="/' 'action="/fa/'; sub_filter 'href="/' 'href="/fa/'; sub_filter 'src="/images' 'src="/fa/images'; sub_filter 'src="/admin' 'src="/fa/admin'; sub_filter 'src="/js' 'src="/fa/js'; sub_filter_once off; }

the built-in domain blocking is documented here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#registration-domain-blocking

However:

It only blocks specific domains so you can't block 'all domains except ' It requires an enterprise license

As an alternative, consider a registration transactional webhook which could examine the domain provided by a user and fail if it didn't match a list of your domains: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create

Proxy servers can store cached copies of sites. You will get the data from the proxy when you access a particular location.

@sander

Thanks for the update. We're bummed that we can't include the mysql connector as part of the docker image.

If FusionAuth is stuck in maintenance mode, this thread might prove useful: https://fusionauth.io/community/forum/topic/135/can-t-get-by-maintenance-mode

Can you give me any more details about the issue?

Hi @cgonzalez

Can you confirm how quickly you are completing the exchange for a token using the code?

"auth_code_not_found"

The code may not be available if:

It has expired or It as already been used to obtain a token.

Thanks,
Josh

@pclark

Just checking in, albeit a bit later than anticipated. Was this resolved for you on the latest version of FusionAuth

-Josh

@leandro-menagonzalez

This can be solved by using client-side validation in your theme for the corresponding forgot password page. On the authorize page you would pull in JS to check the users email in any manner you see fit.

https://fusionauth.io/docs/v1/tech/apis/themes
https://fusionauth.io/docs/v1/tech/themes/

Josh

@trevorr said in Password change deletes sessions?:

If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.

Makes sense. Please feel free to open an GitHub issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

@dhait Yes.

You can create as many email templates as you want, typically using the admin UI or the email API: https://fusionauth.io/docs/v1/tech/apis/emails

Then, you assign them to tenants, using the Tenant admin UI or tenant API: https://fusionauth.io/docs/v1/tech/apis/tenants

You are probably going to be interested in the emailConfiguration object which has all the tenant email template Ids.

@dan said in Having trouble using Gmail SMTP for email sending:

Found a way to solve it.

You really need to use 16-char app passwords with Google SMTP, as it is suggested here https://support.google.com/accounts/answer/185833/tunnel rush

It works fine then.

🤠 😊

@srikanth-bussa Great.

If you need to customize the JWT, I'd suggest looking at the populate lambda and lambda HTTP connect as well.

Hiya,

Yes, you complete a login after the user has logged in at the SAML provider. That's implied, but maybe we should make it a bit clearer.

From https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login

This API allows you to complete a SAML v2 login after the user has authenticated with a SAML v2 identity provider. If you are using the FusionAuth login UI with the SAML v2 button you will not utilize this API directly.

The idea is:

you call start SAML login (the FusionAuth API) you direct the user to the IDP you get the SAML response you pass the SAML response to the complete API call (again, FusionAuth API)

Why not just integrate SAML directly into your application? It's an instance of the identity broker pattern, and having FusionAuth in the middle can allow for a standard interface across SAML and other remote IdP providers.

How you handle steps 2 and 3 is not documented for two reasons.

It might vary widely, depending on the SAML IdP and your configuration. It is expected that as someone who is using the start/complete API and not the FusionAuth hosted login pages, you are familiar enough with SAML to take care of them.

Hope this helps!

@dan Thanks, this is the use-case I was expecting.

The easiest way is to add the required header to the ngrok connection.

Here's how you can do it:

./ngrok http --request-header-add 'X-Forwarded-Port:443' 9011

That should fix the issue.