Is the insertInstant type supposed to be an INT or UUID for add user to group response API?

https://fusionauth.io/docs/v1/tech/apis/groups

Support for MariaDB

Problem

MariaDB is not having the function RANDOM_BYTES. https://mariadb.com/kb/en/library/function-differences-between-mariadb-102-and-mysql-57/

-- Internal API key, replace new lines with empty
INSERT INTO authentication_keys(id, permissions, meta_data, tenants_id)
   VALUES (concat('__internal_', replace(to_base64(random_bytes(64)), '\n', '')),
           '{"endpoints": {"/api/cache/reload": ["POST"]}}',
           '{"attributes": {"internalCacheReloader": "true"}}',
           NULL);

Solution

-- Internal API key, replace new lines with empty
INSERT INTO authentication_keys(id, permissions, meta_data, tenants_id)
   VALUES (concat('__internal_', replace(SUBSTR(CONCAT(MD5(RAND()),MD5(RAND())),1,64), '\n', '')),
           '{"endpoints": {"/api/cache/reload": ["POST"]}}',
           '{"attributes": {"internalCacheReloader": "true"}}',
           NULL);

Login with LinkedIn

Problem

The problem is I can't login to FusionAuth with LinkedIn. :-)

Solution

Add the ability to login with LinkedIn.

Alternatives/workarounds

The LinkedIn OAuth2 option is not OpenID Connect compliant, but you can hack it.

Use the OpenId Connect IdP configuration in FusionAuth. Currently this method has a limitation of only being able to request the email address so additional claims cannot be merged into the FusionAuth user.

You must use the following endpoints in your configuration and the following lambda to extract the email address.

Because LinkedIn requires two API calls to get email + profile we have to choose one or the other in the OpenID Connect configuration.

OpenId Connect configuration

Client authentication method
Request body (client_secret_post)
Authorization endpoint
https://www.linkedin.com/oauth/v2/authorization
Token endpoint
https://www.linkedin.com/oauth/v2/accessToken
Userinfo endpoint
https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
Scope
r_emailaddress

Prior to version 1.17.0

Use an OpenID Connect reconcile Lambda to set the email address.

function reconcile(user, registration, jwt) {
  user.email = jwt.elements[0]['handle~'].emailAddress;
}

Version >= 1.17.3

Beginning with version 1.17.3, you can specify the emailClaim on the OpenID connect configuration.

This will default to email, and can be modified for other use cases. For LinkedIn, you will use the following value: elements/0/handle~0/emailAddress as the Email claim. Note the ~0 is not a typo, this is the JSON Pointer escape syntax for a ~.

Update on OIDC Configuration

In FusionAuth version 1.21.0 we enabled PKCE for all OpenID Connect clients. The OIDC specification indicates that an IdP should ignore the code_challenge and code_challenge_method if they are not supported.

RFC 7636

5 Compatibility
As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.

Of course, Microsoft / LinkedIn do not do anything to spec - and they break if you send these values to the normal authorize endpoint https://www.linkedin.com/oauth/v2/authorization.

You will see an error like this in the Event Log.

Request to the [https://www.linkedin.com/oauth/v2/accessToken] endpoint failed. Status code [403].

Error response is 
{
  "error" : "access_denied",
  "error_description" : "Not enough permissions to access Native PKCE protocol"
}

I believe this is due to their PKCE requirements. See https://stackoverflow.com/a/64999805/3892636.

According to this document from Microsoft, you have to request PKCE be enabled for your LinkedIn application, and once this is complete, use a different authorization endpoint. https://www.linkedin.com/oauth/native-pkce/authorization

https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow-native

Additional context

https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Add Custom Registration fields in the User Interface

Problem

If for every user registration to application Acme you need to add a custom data field called company, currently this is done via a registration workflow on the end users application side.

Or this can also be set via an API call to the Registration API.

I'd like to define a few required fields, or optional fields and have them available in the UI when I register a user.

Solution

TBD

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Describe the bug
The PHP client has an issue on the logout.
There is no test in FusionAuthClientTest for that ^^

To Reproduce
From PHP client

$response = $auth->logout("true", $refreshToken);

I get:

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
</body>
</html>

via cURL in CLI:

curl -X POST -H "Authorization: XXXXXXXXXX" "https://myfusionauth/api/logout?global=true&refreshToken=XXXXX" -vvv

I get a code 200.

Also the documentation says that $global should be an array when it should be a boolean.
Also if we could make the second argument as optional in order to make this example working

$response = $auth->logout(true);

Add User Registration expiration

Problem

Similar to how a user can be set to expire, a registration may be set to expire to indicate the end oof a subscription for example.

Perhaps at the end of the expiration, the registration would be deleted, or set to expired.

Solution

TBD

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

We would like to restrict the registration to an app to a list of users
So far, the only parameter I could see is the group.
We have segmented our users to different groups, and we would like to allow app registrations to a specific group.

Describe the solution you'd like
we would like to have a parameters (group or another one?) to say something like « User 1 can subscribe to the app A only if he belongs to a specific list, User 2 can only subscribe to app B and c, etc »

Describe alternatives you've considered
right now we do this check from our code but it could be better to have this constraint in the product itself.

Does it make sense for you?

More accurate error status

Problem

Most errors returned by the API are under the umbrella of Http401 Unauthorized (or rather, Unauthenticated). It would be really helpful to move some of them under Http403 Forbidden where it makes sense.

Solution

RFC6750
For example, endpoints with red locks should return 401 if the "Authorization" header is not present. But for cases where you disabled PUT /api/user/{userId} endpoint, the API should instead return 403 because the client is authenticated, but don't have permission to the resource (forbidden, insufficient scope).

Alternatives/workarounds

A clear and concise description of any alternative solutions or workarounds you've considered.

Additional context

Add any other context or screenshots about the feature request here.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Birthday field is autofilled in the UI when adding or editing a user

Description

When you create a user in the FusionAuth UI, the birthday field is initialized to todays date even if you do not enter this field. The same goes for edit.

Steps to reproduce

1. Add a user, see birthday field
2. Edit a user without a birthday, see the birthday field

Expected behavior

Unless I enter the field during add or edit - if the user does not yet have a birthday set, I do not expect to see that field filled in.

Screenshots

If applicable, add screenshots to help explain your problem.

Platform

I recreated on Windows using Edge browser, and macOS using Chrome.

Additional context

Add any other context about the problem here.

SAML endpoint

Problem

To allow FusionAuth to be the identity provider for 3rd party tools that only support SAML, a SAML endpoint would be added to FusionAuth.

Solution

This feature would add a new login front-end plus a full SAML backend implementation. This would be very similar to the OAuth front-end that FusionAuth currently has and would include all of the same features (MFA, Password Change, Forget Password, etc).

Related Issues

SAML2 Federation - Issue #104

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Hi , i used Postman to take the new token (with URL -> localhost:9011/api/jwt/issue?applicationId={myApp's Id}) , in Parameters i placed applicationId with its value , and in Headers i placed Authorization with the value i got from cookie (access_token value) ,and Content-Type with application/json.. As a result i get a 'Could not get any response' .... Where is the problem??

Thanks for your time

Hidden fields still in the tab index on the add panel

Description

If you create a user and the email server is set up so the default value for Send email to setup password is true, if you tab through the fields you'll notice you are tabbing across hidden fields.

This is sometimes visible if you have auto-complete opening the password fields. This will be visible even though the field is not.

Steps to reproduce

Steps to reproduce the behavior:

1. Enable email configuration
2. Create a new user
3. Leave the default config for Send email to setup password
4. Tab through the fields

Expected behavior

The password fields that are hidden when the boolean Send email to setup password is true - should be disabled so they are not included in the tab index.

Screenshots

N/A

Platform

macOS Chrome

Additional context

N/A

Is your feature request related to a problem? Please describe.
A JWT token should be self contained and we usually revoke the refresh token to force a user to be disconnected. In our current app, for security/maintenance purpose, we are able to disconnect a user and revoke the JWT token issued as well.
Because for one of our app, the JWT expiration is 1 hour, it is important to be able to disconnect them without waiting 60 minutes.

Describe the solution you'd like
Today we have a table that whitelist all tokens issued from our app.
that could be great to have a button in the user page (in the session or history tab?) that could be like « disonnect the user from a app » and we could choose the app and all JWT token issued will be revoked.
Also if we have that we could also know how much JWT tokens are currently active.

Would it be possible to get the FusionAuth API written with swagger tools? https://swagger.io is the website. It's the best way I have seen a developer convey a web api for public consumption

Add Permission authorization to RBAC

Problem

The current implementation of RBAC does not offer granular permission authorization.

• Role assignment
  • A user can have many roles
  • A role can have many users
  • [missing] A role can have many permissions
• Role authorization
• [missing] Permission authorization
  • [missing] A user can have a specific permission

Solution

TBD

Workaround

Create more roles.

admin:
admin:thing1
admin:thing2
admin:thing3

Related

May be partially or fully resolved by issue #881

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Describe the bug
As written in the documentation, the search is a GET method: https://fusionauth.io/docs/v1/tech/apis/users#search-for-users

The PHP client is using POST method: https://github.com/FusionAuth/fusionauth-php-client/blob/master/src/FusionAuthClient.php#L1729-L1734

To Reproduce
Just use searchUsersByQueryString

Expected behavior
Should work and return a user list :D

Screenshots

Hello.I have setup a fusion auth server on port 9011.

I have created a user with default tenant

I am trying to use postman to login.
I send a post request to localhost:9011/api/login
In the body I pass the loginId and the password however when I press send I get the above error.

Any ideas how this could be solved?

Don't think thats the correct subtitle for this step in the upgrade process.

As you explained, we can search by user data like data.Foo: Bar.
Could add this in the documentation?

Also, how can I search user data from a specific application? Since we can register user data for each application, how could I find those data?

Release notes and product info in the FusionAuth UI

Problem

It would be nice to see what is new in the product and what was fixed, added etc.

Solution

Possible solution, add release notes to the System -> About -> Product.

When I log in, maybe show a "What's new" - with links to tutorials, or features? Or simply add the release notes somewhere.

Alternatives/workarounds

A clear and concise description of any alternative solutions or workarounds you've considered.

Additional context

Add any other context or screenshots about the feature request here.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Social Login

Problem

In order to reduce friction during user acquisition, allowing a potential user to authenticate or register using an existing set of credentials such as Facebook, Google or LinkedIn can increase user adoption.

Solution

To allow a flexible solution that supports using social login on the FusionAuth OAuth login, through a Login API, or an SPA using a JavaScript widget - a comprehensive solution is required.

Proposed initial provider support:

• Facebook
• Google
• Twitter
• OpenID Connect (Generic)

Possible additional providers:

• Instagram
• LinkedIn
• GitHub
• Microsoft 365
• Amazon
• MySpace (ha, just kidding)

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Retrieving a user by specified keys are being ignored when a JWT cookie is available.

Description

I installed version 1.2.1
https://fusionauth.io/docs/v1/tech/apis/users#retrieve-a-user
When trying to retrieve User endpoints such as below, they only return the user profile of the JWT cookie user; they do not return the user profile of the requested user key:
/api/user/{userId}
/api/user?loginId={loginId}
/api/user?email={email}
/api/user?username={username}

Steps to reproduce

Steps to reproduce the behavior:

1. Authenticate using /api/login using your API client. I use Insomnia app.

> POST /api/login HTTP/1.1
> Host: xxx.xxx.xxx.xxx:9011
> User-Agent: insomnia/6.2.0
> Content-Type: application/json
> X-Forwarded-For: ::
> X-FusionAuth-TenantId: <My Tenant Uuid>
> Accept: */*
> Content-Length: 268
| {
| 	"loginId": "user1",
| 	"password": "password",
| 	"ipAddress": "127.0.0.1",
| 	"device": "XXX",
| 	"metaData": {
| 		"device": {
| 			"description": "Insomnia App",
| 			"lastAccessedAddress": "127.0.0.1",
| 			"name": "Insomnia",
| 			"type": "OTHER"
| 		}
| 	}
| }
< HTTP/1.1 212 access_token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDI4NTk4MzIsImlhdCI6MTU0Mjg1NjIzMiwiaXNzIjoiMTcyLjE2LjAuMjIyOjkwMTEiLCJzdWIiOiJlNWZiNmE5Ny01ZWFmLTRjZjMtODJhYy1mNDMzOWUyM2NkNzAiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoidXNlcjFAcmVkZmxhZ2dyb3VwLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZX0._kUQmTKFdG1PoO1BOm9F6Sk_L7k34R83hQSDodMHqbU" for domain xxx.xxx.xxx.xxx, path /, expire 0
< Set-Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDI4NzQ2NDQsImlhdCI6MTU0Mjg3MTA0NCwiaXNzIjoiMTcyLjE2LjAuMjIyOjkwMTEiLCJzdWIiOiI1NDcyYzU3MC0zOTJiLTQxOTYtYTdmNC0xYzg4Yjc0NDEwNzEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoiZnVzaW9uYXV0aEBtYWlsbmVzaWEuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlfQ.SaVgDC9xCM154crNCnOSGVG7qoR5BOkpblaZz1tSeo8; Path=/; HttpOnly
< Content-Type: application/json;charset=UTF-8
< Content-Length: 907
< Date: Thu, 22 Nov 2018 07:17:24 GMT

* Received 833 B chunk
* Connection #3 to host xxx.xxx.xxx.xxx left intact
* Saved 1 cookie

2. Retrieve user by Id /api/user/25a872da-bb44-4af8-a43d-e7bcb5351ebc; It doesn't have to be an existing User UUID. Your API Client should be sending the token cookie automatically.

> GET /api/user/25a872da-bb44-4af8-a43d-e7bcb5351ebc HTTP/1.1
> Host: xxx.xxx.xxx.xxx:9011
> User-Agent: insomnia/6.2.0
> Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDI4NzQ2NDQsImlhdCI6MTU0Mjg3MTA0NCwiaXNzIjoiMTcyLjE2LjAuMjIyOjkwMTEiLCJzdWIiOiI1NDcyYzU3MC0zOTJiLTQxOTYtYTdmNC0xYzg4Yjc0NDEwNzEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoiZnVzaW9uYXV0aEBtYWlsbmVzaWEuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlfQ.SaVgDC9xCM154crNCnOSGVG7qoR5BOkpblaZz1tSeo8
> X-Forwarded-For: ::
> X-FusionAuth-TenantId: <My Tenant Uid>
> Authorization: <My API Key>
> Accept: */*
< HTTP/1.1 200 
< Content-Type: application/json;charset=UTF-8
< Content-Length: 553
< Date: Thu, 22 Nov 2018 07:21:18 GMT

* Received 553 B chunk
* Connection #36 to host 172.16.0.222 left intact
{
  "user": {
    "active": true,
    "birthDate": "1914-11-21",
    "email": "[email protected]",
    "expiry": 1543507200000,
    "firstName": "Mail",
    "fullName": "Mail Nesia",
    "id": "5472c570-392b-4196-a7f4-1c88b7441071",
    "insertInstant": 1542768797248,
    "lastLoginInstant": 1542871044096,
    "lastName": "Nesia",
    "mobilePhone": "+85254000455",
    "passwordChangeRequired": false,
    "passwordLastUpdateInstant": 1542769401224,
    "tenantId": "e360a05d-ef17-4336-a82f-b3e69320d036",
    "twoFactorDelivery": "TextMessage",
    "twoFactorEnabled": true,
    "username": "fusionauth",
    "usernameStatus": "ACTIVE",
    "verified": false
  }
}

3. Look at the response body. It returns the user profile of the JWT owner, not 404 or the profile of the specified UUID.

Expected behavior

The API should return the user profile of the specified key -- uuid, loginId, email, username, etc.

Screenshots

No screenshots. I've already sent the detailed HTTP communication.

Platform

• Device: Desktop and Laptop
• OS: OS: Windows 10 (Client), Ubuntu 18.10 (Server)
• Insomnia 6.2.0

Additional context

It seems that the path or request arguments are being ignored when a JWT cookie exists.

Problem
Developers building applications natively in Python. Currently because there is not a native library for Python, developers will need to use a third party REST client.

Solution
Provide a FusionAuth client library written in Python to provide native bindings for Python/Flask developers.

I am already stuck...

Query OK, 0 rows affected (0.00 sec)

mysql> drop database fusionauth;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'fusionauth'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

```mysql> CREATE USER 'fusionauth'@'localhost' IDENTIFIED BY 'CMuIi_Fp2ub4Aqpk4r6I6vuRMmCTvbFBbwObHrHjEwg';
Query OK, 0 rows affected (0.00 sec)

mysql> drop database fusionauth;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'fusionauth'@'localhost' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)```

Add ability to delete refresh tokens using various criteria

Problem

In some cases, an admin might want to delete all the refresh tokens globally, per application, per tenant, or per user. Currently, the API only supports per application, per user or per token. Additionally, the UI only supports per token.

Solution

Add the additional API criteria so that refresh tokens can be deleted by tenant id or globally. Also, build out a page that allows an admin to delete refresh tokens with any of these criteria.

• ✅ Delete a single refresh token by token value
• ✅ Delete a single refresh token by token primary key
• ✅ Delete all refresh tokens for a single user
• ✅ Delete all refresh tokens for an Application via API
• Delete all refresh tokens by tenant via API
• Delete all refresh tokens by tenant via UI
• Delete all refresh tokens by application in the UI

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

UI tile issues on Windows

Description

See attached screenshot. The tile used in the Identity Providers and Integration configuration panels is showing a scroll bar or something when viewed on Chrome on Windows.

Describe the bug
When saving an Application in the administration area, it removes the 'data' property from the Application entity.

To Reproduce
Steps to reproduce the behavior:

1. Add user data to an Application object using the API.
2. Edit the Application using the interface (e.g. change the name)
3. Query the API for the Application object
4. See that the 'data' property is missing

Expected behavior
The administration interface should merge the changes with the existing entity.

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Chrome
• Version 69.0.3497.100

Add an expiration column to the session table in the manage user UI

Problem

An administrator is unable to know when the token is set to expire.

Solution

Show the created and expiration times in the sessions table.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Secure email change and multiple identities

Problem

Allowing just anyone to change your email address without adequate confirmation from both the current email address owner and the new email address owner - hopefully they are the same person - can be a huge security risk.

Solution

To properly handle modifying your email address the existing email address used for login must continue to work for authentication, and the owner of the email address must be notified of the change and allow it to be reversed or not approved at all.

There are many complexities to this problem that need to be solved correctly to ensure a secure transition from one email address to another.

Solution Details

The current design we have will allow for multiple emails per user to account which means the user may have a primary and one-to-many secondary email addresses. The user can then authenticate with a primary email address while a secondary one has been added and perhaps not yet verified during a change email workflow.

Account Takeover Scenarios

One of the use cases will be to protect against account takeover. The following are some examples of account takeover techniques.

Un-verified Email address

The lesson here is that unless you verify that a user owns the email address it can potentially be used for account takeover.

1. A 3rd party application such as coolonlinegamestore.com allows users to sign up with email
2. coolonlinegamestore.com does not require email addresses to be verified.
3. Johnny Hacker signs up for coolonlinegamestore.com with an email address of [email protected].
4. A user with email address [email protected] already exists in FusionAuth.
5. FusionAuth has enabled an OpenID Connect IdP to allow users to login with their coolonlinegamestore.com account.
6. Johnny Hacker logs into an application using FusionAuth as the IdP using the "Login with Cool Online Game Store" button.
7. Johnny Hacker proceeds to log into coolonlinegamestore.com with his email address of [email protected].
8. The token is returned to FusionAuth which contains an email claim of [email protected].
9. FusionAuth looks up this user by email which is globally unique within a FusionAuth tenant and completes login for Johnny Hacker.

Johnny Hacker does not yet known the password for [email protected] in FusionAuth but if the application allows the user to modify the password or email he can now completely take over the account. At a minimum he has logged into the application managed by FusionAuth as [email protected].

Non unique loginId

The lesson here is that any "login identifier" that is not globally unique can be potentially used for account takeover. In this example we'll utilize a username as it is the most common example.

FusionAuth is not currently susceptible to this attack because we do not allow the username to be set during a reconcile Lambda or used as the unique identifier during an IdP reconcile. We have discussed removing this limitation because it also limits legitimate use cases where the user of the lambda and IdP can guarantee the uniqueness of the username within a specific domain.

This feature will aim to support a non-unique "login identifier" and provide adequate controls to utilize it safely with external identity providers.

1. A 3rd party application such as coolonlinegamestore.com allows users to sign up with a username.
2. Johnny Hacker signs up for coolonlinegamestore.com with an email address of jared.
3. A user with a username of jared already exists in FusionAuth.
4. FusionAuth has enabled an OpenID Connect IdP to allow users to login with their coolonlinegamestore.com account.
5. Johnny Hacker logs into an application using FusionAuth as the IdP using the "Login with Cool Online Game Store" button.
6. Johnny Hacker proceeds to log into coolonlinegamestore.com with his username of jared.
7. The token is returned to FusionAuth which contains a preferred_username claim of jared.
8. FusionAuth looks up this user by username which is globally unique with a FusionAuth tenant and completes login for Johnny Hacker.

In this example, the account takeover may have been malicious, or it may be a username collision.

Johnny Hacker does not yet known the password for jared in FusionAuth but if the application allows the user to modify the password, username or email he can now completely take over the account. At a minimum he has logged into the application managed by FusionAuth as jared.

Self-service account management

This feature will also impact our self-service account management pages. We should ensure that all of the use cases are covered there including updates to email address, username, MFA, and password.

Related Issues

• Reconcile Lambda not allowed to set user.username #698. We could potentially allow a free form identity type to allow a name space to be declared where a username is unique. For example, if we allowed a Twitter namespace to be declared, then we could allow the Twitter username to be used to reconcile an identity of type Twitter.
• Connect social media accounts to a FusionAuth user w/ a different email address. #751

New identity types

Since this feature requires significant changes to our identity modeling, supporting new identity types seems like a good fit to include as well. Currently, FusionAuth supports emails and usernames for identities. Additional identity types might include:

• Phone number (mobile likely)
• Government id
• Secure id
• Certificate/token
• None (just an id)

By adding the ability to have different identity types and verification and validation for each, FusionAuth can handle a wide array of use cases.

Related

• #208
• #751 (comment)
• #1638
• #1874
• #1552

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Is your feature request related to a problem? Please describe.
We provide refresh token to our clients that consume our API. Our customer care have a tool to generate token from our Slack directly. But sometimes, they loose the token because they move their website to another provider, or our QA team needs to test something with their credentials, etc... It could be helpful if we could have a button in the session tab to display the refresh token.

It is not a blocker since if we run the command to generate the refresh token, it will provide the same one already generated, but it would be a nice to have in the interface.

Describe the solution you'd like
Same solution than login form, we could display a icon that would display the token

Describe alternatives you've considered
The only question I am wondering is about security. Is it ok, for security reasons, to be able to display this token? Or it should be strictly not allowed to do it?

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Is your feature request related to a problem? Please describe.
In the future, we would like to monetize our API and also control the usage of our clients / partners.
In order to do those features, we are slowly looking at solutions to setup limit / quotas for each client.
A limit could be 30 calls per minutes when the quotas could be 50 000 calls per months.

Describe the solution you'd like
I was wondering if we could use the JWT validation endpoint to record this hit and we could base the limit quota on it. It does look really good since a JWT is self contained and we can validate the token without calling this endpoint.
And a hit to this endpoint does not mean there is a hit to our API....

Maybe it is designed for that right now, but since it is about the security, it is not totally illogic to have something like this in FusionAuth?
Let me know what you think.

Describe alternatives you've considered
We had a look to APIGee https://apigee.com that provides this kind of services.

Login with Instagram

Problem

The problem is I can't login to FusionAuth with Instagram. :-)

Solution

Add the ability to login with Instagram.

Alternatives/workarounds

This probably works today using the OpenID Connect IdP type.

Additional context

• https://api.instagram.com/oauth/authorize
• https://api.instagram.com/oauth/access_token
• https://developers.facebook.com/docs/instagram-basic-display-api/guides/getting-profiles-and-media

https://developers.facebook.com/docs/instagram-basic-display-api/guides

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

if there was the option alongside every auth, to have a pre-translated and cleaned up and stripped simple API for the app that's being authed... that would be fantastic.

instead of just logging into all the sites easily
also, have for every site .. component... let's call it.
a wrapped package containing all the important API calls from the auth'd service
that we could one-click download similar to an NPM package,
except that it goes with your software, and we could basically have an app store with a list of all the sites that are auth'd, and we click on that site, can read a brief description, and with one click, add the auth, as well as a cleaned up standardized API set to our collection.

I'm sure community members would love that and contribute "modules" that you standardized the format of.... to all their favorite sites .. I know I would pack up and make all the boilerplate API calls entered and translated to shortcode for what I use.. and if you made the packages extendable and adaptable, so that there would be the absolute shortcodes for the absolute APIs at most sites, but also, leave room for co9nsumers to add in their own translations easily for cases of R.A.D. platforms, like Zoho creator, caspio, etc... where there are possibilities ..

so, have full components for the rigid sites that are going to have the same API calls for 10 years... like Gmail... but also leave the room so people can download components and have them be extensible...

each component being made up of an auth package for the site in one partition of the component, the solidified permanent API translation to fusionspeak, and the freedom to add extra shortcode that would generate the API call for that site based on criteria fed to it (IE: Zoho creator..... need an app name, a form name, a field name, then your generator makes the API call and links it to the shortcode)..

then you'd end up being THE site to go to for developers.. I know this because it's what I'm trying to find... and I've been looking and researching for that simple solution for 2 months now.

1 sign on, all the sites logged in, and all the sites APIs in one standard. open source and community driven..

give people a free 10 users/year free for each module they build that you approve and add to the system.

you just need to build the modular framework and set the guidelines and build a couple templates, a basic app gallery profile page with a list of what apps are included (community would contribute the documentation of each shortcode)... and bam...we can all integrate sites login as well as their apps with just one module pick from your catalogue, and it goes in our collection to use and share with our tenants based on their access levels... .. throw on a Redis cache for our app to hold the non-sensitive data, use fusion to hold encrypted user data like their names, etc.. and all that fusion does provide us with the modules, I'm sure we'd pay to rent or buy certain modules, take them and put them on our own self-hosted servers...

there's a lot of fantastic that could come of this.

Describe the bug
In my interface: 11/9/2018 05:17 PM GST
I think only US use this format no?
I defined my timezone to Asia/Dubai, but we do not use this format here
Could we define the format according to the timezone?

To Reproduce

Expected behavior
2018/11/09 05:17 PM GST

Screenshots

CORS blocks API requests when the X-FusionAuth-TenantId header is present

Description

I installed version 1.2.1
https://fusionauth.io/docs/v1/tech/reference/cors
The documentation says that the URL pattern /api/* is allowed through the CORS filter.
But when I started integrating my ReactJS front-end application, the console/network tab shows "Cross-Origin Request Blocked".

Steps to reproduce

Steps to reproduce the behavior:

1. Open your browser and keep the developer tools/console tab open.
2. Try to send a POST request to /api/login from the browser, or from your API client and make sure the Host header is set and is a different origin domain.

fetch('http://172.16.0.222:9011/api/login', {
	mode: 'cors',
	method: 'POST',
	headers: {
		'X-FusionAuth-TenantId': 'e360a05d-ef17-4336-a82f-b3e69320d036',
		'Content-Type': 'application/json'
	},
	body: JSON.stringify('{"loginId":"[email protected]","password":"{{password}}","ipAddress":"127.0.0.1","device":"usadfnjasdnknklrassgdsarag","metaData":{"device":{"description":"Insomnia App","lastAccessedAddress":"127.0.0.1","name":"Insomnia","type":"OTHER"}}}')
})

3. Check the console logs. It will show the CORS error and the OPTIONS request from the Network tab is failing.

Expected behavior

It should not be blocked by CORS. The OPTIONS request should succeed, and then the POST request will be sent, regardless of the response.

Screenshots

Platform

(Please complete the following information)

• Device: Desktop
• OS: Windows 10 (Client), Ubuntu 18.10 (Server)
• Firefox Developer Edition 64.0b10 (64-bit)

Additional context

If there should be more options to be filled in the docker compose config file, please let me know.

iOS Client Library

Problem

Developers building applications natively in iOS will likely be using Objective-C or Swift. Currently because there is not a native library for Swift or Objective-C, developers will need to use a third party REST client or use NSURLSession from the iOS SDK.

Solution

Provide a FusionAuth client library written in Swift to provide native bindings for iOS developers.

Bounty

This issue qualifies for the FusionAuth bounty program. If you can get the Swift client library working, provide a stub and we can build the rest with out template system, see comment below.
https://fusionauth.io/write-for-fusionauth

If you are interested, please contact us using the link provided above and let us know.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Login with GitHub

Problem

The problem is I can't login to FusionAuth with GitHub. :-)

Solution

Add the ability to login with GitHub.

Alternatives/workarounds

• In version 1.6.0 this will work with the OpenID Connect IdP.
• https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/github/

Additional context

#134 (comment)

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Running on Windows Search engine down message

Description

When running on Windows, even though the search engine is running, I receive a message such as

The search engine appears to be down or failing to respond to the search query.

The search engine service is running, but the message indicates otherwise.

Add Password Setup Email in the UI

Problem

If a user has not yet completed password setup, perhaps their email was lost or the verification code has expired.

It would be helpful to find this user in the UI and send them another email.

The same goes for user email verification and registration verification.

Solution

TBD

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Is there a reason why some registration objects have the timezone variable but others do not?

The API to import users allow us to register each user to many app in a single call with the key user.registrations: https://fusionauth.io/docs/v1/tech/apis/users#import-users

But it is impossible to create a single user with many app in a single call.
Now, we are using the import user API endpoint to create a single user on the fly... but is there something that I missed? Can we have any side effect using import user API to create our new users?

Ruby OmniAuth Strategy for FusionAuth

Problem

I'd like to use Ruby OmniAuth with FusionAuth.

Solution

Add a Ruby OmniAuth Strategy.

https://github.com/omniauth/omniauth
https://github.com/omniauth/omniauth/wiki/List-of-Strategies

Alternatives/workarounds

Manually build the configuration.

Additional context

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Cannot list users without search arguments

Description

Version 1.2.1
https://fusionauth.io/docs/v1/tech/apis/users#search-for-users
The documentation says that ids and queryString are optional parameters, but when I tried searching for users without arguments just to initially list out my users, it says "You must specify either the [ids], [queryString], [email] or [username] property for a GET request.". I also tried giving a blank argument to the parameters, with no luck. It seem to require at least one character in the query parameter.

Steps to reproduce

Steps to reproduce the behavior:
Just try to do a get request with empty arguments.
/api/user/search?queryString=

> GET /api/user/search?queryString= HTTP/1.1
> Host: 172.16.0.222:9011
> User-Agent: insomnia/6.2.0
> Authorization: vFbrYlghPb2xTGPFZeB5lp-izv21IUrdmCBDXJilLgE
> Accept: */*
< HTTP/1.1 400 
< Content-Type: application/json;charset=UTF-8
< Content-Length: 152
< Date: Thu, 22 Nov 2018 04:04:29 GMT
< Connection: close

{
  "generalErrors": [
    {
      "code": "[invalid]",
      "message": "You must specify either the [ids], [queryString], [email] or [username] property for a GET request."
    }
  ]
}

Expected behavior

I should be able to receive a list of users, without any filters supplied.

Screenshots

No screenshots. Just normal HTTP logs.

Platform

• Device: Desktop
• OS: Windows 10 (Client), Ubuntu 18.10 (Server)
• Firefox Developer Edition 64.0b10 (64-bit)

Additional context

Add any other context about the problem here.

Describe the bug
When JSON is sent to FusionAuth that is malformed or invalid (like it sends an array instead of an object), FusionAuth errors out with a 500 response.

Expected behavior
FusionAuth should instead return a 400 and provide as much detail as possible about the malformed or invalid JSON.

Describe the bug
Classes should loaded by composer without extra config from the app that use your library.

To Reproduce

Expected behavior
From composer.json:

"autoload": {
        "psr-4": { "fusionauth\\": "src/" }
    },

should work.

Otherwise, a simple mapping like:

"autoload": {
        "classmap": [
            "src/FusionAuthClient.php",
            "src/ClientResponse.php",
            "src/RESTClient.php"
        ]
    },

will work fine.

Support for Passwordless Authentication

Problem

We don't want the user to remember another password, therefore we want to support "passwordless" authentication. The user enter his E-Mail address as the login credential and receives a mail with a link (including a secret token), if the click that link, the token is checked by FusionAuth and then you will be redirected to the application with e.g. the resulting JWT.

Solution

We would also support you by implementing this feature request as a plugin, but as far as we've seen this is not yet possible with the current plugin-architecture.

Alternatives/workarounds

Another option would be to implement it directly as another "provider".

Additional context

See other projects like:

• https://passwordless.net/
• https://github.com/PwdLess/Cierge

Login with Microsoft

Problem

The problem is I can't login to FusionAuth with Microsoft. :-)

Solution

Add the ability to login with Microsoft.

Alternatives/workarounds

It seems that Microsoft also supports OpenID Connect, so this may work today using the generic OpenID Connect identity provider. https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect

Additional context

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code

Related

• #222
• #2501

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Is your feature request related to a problem? Please describe.
My application uses a multi-tenant architecture. However, compared to FusionAuth, it's "inverted". This means that in my situation, users are not part of a tenant, but rather, one single user can be part of multiple tenants simultaneously.

In the pre-FusionAuth situation, the tenant ID was part of the JWT. When a user switched to a different tenant, they would receive a new JWT with the new tenant ID (and the JWT would be resigned and valid). Subsequent API calls are therefore automatically executed in the context of the (new) tenant.

Describe the solution you'd like
I would like to be able to add a single existing user to one or more tenants ("inverting" the relationship between tenants and users, compared to the current implementation). I would also like the option to query the API for tenants that the currently logged in user belongs to, so I can show a list of available tenants to my users.

Describe alternatives you've considered
I have been toying with using groups as a workaround, and I came quite far with this approach. However, there is no way to add a custom claim to the JWT in which I can place the "current tenant ID". A solution for this could be to add an option to the JWT settings, which would cause the JWT generator to insert the user data object to the JWT. I could then use the user data object to store the "current tenant ID".

Additional context
None.

External Auth for Envoy Proxy

Problem

Support external auth for Envoy Proxy similar to how FusionAuth already supports Apache External Auth. ( https://github.com/FusionAuth/fusionauth-mod-authnz-external )

Solution

Envoy Proxy does support external auth HTTP filters, in theory we can just write some configuration and perhaps utilize and existing API.

See the following documentation for external filters:
https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/ext_authz_filter
https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/jwt_authn_filter

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Why is there a difference between the Application object when retrieving one Application vs. retrieving all.

"One Application"

"All the Applications"